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August  12,  1994. — Ordered  to  be  printed 


Mr.  CONYERS,  from  the  Committee  on  Grovernment  Operations, 
submitted  the  following 

REPORT 

[To  accompany  H.R.  3600  which  on  November  20,  1993,  was  referred  jointly  to  the 
Committee  on  Energy  and  Commerce,  to  the  Committee  on  Ways  and  Means,  and 
to  the  Committee  on  Education  and  Labor  for  consideration  of  such  provisions  in 
titles  I,  III,  VI,  VIII,  X,  and  XI  and  part  1  of  subtitle  C  of  title  V  as  fall  within 
its  jurisdiction  pursuant  to  clause  Kg)  of  rule  X;  and  concurrently,  for  a  period 
ending  not  later  than  two  weeks  after  all  three  committees  of  joint  referral  report 
to  the  House  (or  a  later  time  if  the  Speaker  so  designates),  to  the  Committee  on 
Armed  Services  for  consideration  of  subtitle  A  of  title  VIII  and  such  provisions 
of  title  I  as  fall  within  its  jurisdiction  pursuant  to  clause  1(c)  of  rule  X,  to  the 
Committee  on  Veterans'  Affairs  for  consideration  of  subtitle  B  of  title  VIII  and 
such  provisions  of  title  I  as  fall  within  its  jurisdiction  pursuant  to  clause  l(u)  of 
rule  X,  to  the  Committee  on  Post  Office  and  Civil  Service  for  consideration  of  sub- 
title C  of  title  VIII  and  such  provisions  of  title  I  as  fall  within  its  jurisdiction  pur- 
suant to  clause  l(o)  of  rule  X,  to  the  Committee  on  Natural  Resources  for  consid- 
eration of  subtitle  D  of  title  VIII  and  such  provisions  of  title  I  as  fall  within  its 
jurisdiction  pursuant  to  clause  l(n)  of  rule  X,  to  the  Committee  on  the  Judiciary 
for  consideration  of  subtitles  C  through  F  of  title  V  and  such  other  provisions  as 
fall  within  its  jurisdiction  pursuant  to  clause  1(1)  of  rule  X,  to  the  Committee  on 
Rules  for  consideration  of  sections  1432(d),  6006(f),  and  9102(e)(5),  and  to  the 
Committee  on  Government  Operations  for  consideration  of  subtitle  B  of  title  V 
and  section  5401] 

The  Committee  on  Government  Operations,  to  whom  was  re- 
ferred the  bill  (H.R.  3600)  to  ensure  individual  and  family  security 
through  health  care  coverage  for  all  Americans  in  a  manner  that 
contains  the  rate  of  growth  in  health  care  costs  and  promotes  re- 
sponsible health  insurance  practices,  to  promote  choice  in  health 
care,  and  to  ensure  and  protect  the  health  care  of  all  Americans, 
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having  considered  the  same,  report  favorably  thereon  with  amend- 
ments and  recommend  that  the  bill  as  amended  do  pass. 

CONTENTS 

Page 


The  amendments    2 

Report  on  subtitle  B  of  title  V    66 

Report  on  section  5401  of  title  V    156 

Committee  oversight  findings   162 

Committee  cost  estimate    162 

Inflationary  impact  statement   163 

Changes  in  existing  law  made  by  the  bill,  as  reported    163 


Page  859,  strike  lines  16  through  18  and  insert  the  following 
(and  conform  the  table  of  contents  of  title  V  accordingly): 


Subtitle  B — ^Administrative  Sim- 
plification and  Fair  Health  Infor- 
mation Practices 


Amend  part  1  of  subtitle  B  of  title  V  (page  859,  line  19,  through 
page  870,  line  23)  to  read  as  follows  (and  redesignate  provisions 
and  conform  the  table  of  contents  of  title  V  accordingly): 


PART  1— ADMINISTRATIVE 
SIMPLIFICATION  STANDARDS 

SEC.  5101.  PURPOSE. 

It  is  the  purpose  of  this  part  to  improve  the  efficiency 
and  effectiveness  of  the  health  care  system  by  encouraging 
the  development  of  a  health  information  network  through 
the  establishment  of  standards  and  requirements  for  the 
electronic  transmission  of  certain  health  information. 

SEC.  5102.  DEFINITIONS. 

For  purposes  of  this  part: 

(1)  Carrier. — ^The  term  "carrier"  means  a  licensed 
insurance  company,  a  hospital  or  medical  service  cor- 
poration (including  an  existing  Blue  Cross  or  Blue 
Shield  organization,  within  the  meaning  of  section 
833(c)(2)  of  the  Internal  Revenue  Code  of  1986),  a 
health  maintenance  organization,  or  other  entity  li- 
censed or  certified  by  a  State  to  provide  health  insur- 
ance or  health  benefits. 

(2)  Code  set. — ^The  term  "code  set"  means  any  set 
of  codes  used  for  encoding  data  elements  of  health  in- 
formation, including  tables  of  terms,  medical  concepts, 
medical  diagnostic  codes,  or  medical  procedure  codes. 

(3)  Coordination  of  benefits. — The  term  "coordi- 
nation of  benefits"  means  determining  and  coordinat- 
ing the  financial  obligations  of  health  information  plan 
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sponsors  when  health  care  benefits  are  payable  under 
two  or  more  such  plans. 

(4)  Health  information. — ^The  term  "health  infor- 
mation" means  any  information  that  relates  to  the 
past,  present,  or  future  physical  or  mental  health  or 
condition  or  functional  status  of  an  individual,  the  pro- 
vision of  health  care  to  an  individual,  or  payment  for 
the  provision  of  health  care  to  an  individual. 

(5)  Health  information  network.— The  term 
"health  information  network"  means  the  health  infor- 
mation system  that  is  formed  through  the  application 
of  the  requirements  of,  and  the  standards  established 
under,  this  part. 

(6)  Health  information  network  service.— The 
term  "health  information  network  service" — 

(A)  means  a  private  entity  or  an  entity  operated 
by  a  State  that  enters  into  contracts — 

(i)  to  process  or  facilitate  the  processing  of 
nonstandard  health  information  into  standard 
health  information; 

(ii)  to  provide  the  means  by  which  persons 
are  connected  to  the  health  information  net- 
work for  purposes  of  meeting  the  require- 
ments of  this  part; 

(iii)  to  provide  authorized  access  to  health 
information  through  the  health  information 
network;  or 

(iv)  to  provide  specific  information  process- 
ing services,  such  as  automated  coordination 
of  benefits  and  claims  transaction  routing; 
and 

(B)  includes  a  health  information  protection  or- 
ganization. 

(7)  Health  information  plan. — 

(A)  In  general. — ^The  term  "health  information 
plan"  means — 

(i)  any  contract  of  health  insurance,  includ- 
ing any  hospital  or  medical  service  policy  or 
certificate,  hospital  or  medical  service  plan 
contract,  or  health  maintenance  organization 
group  contract,  that  is  provided  by  a  carrier; 
and 

(ii)  an  employee  welfare  benefit  plan  or 
other  arrangement  insofar  as  the  plan  or  ar- 
rangement provides  health  benefits  and  is 
funded  in  a  manner  other  than  through  the 
purchase  of  one  or  more  policies  or  contracts 
described  in  clause  (i). 

(B)  Exception.— The  term  "health  information 
plan"  does  not  include  any  of  the  following  (or  any 
combination  thereof): 

(i)  Coverage  issued  as  a  supplement  to  li- 
ability insurance. 
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(ii)  Liability  insurance,  including  general  li- 
ability insurance  and  automobile  liability  in- 
surance. 

(iii)  Worker's  compensation  or  similar  insur- 
ance. 

(iv)  Automobile  medical-payment  insurance. 

(8)  Health  information  plan  sponsor. — ^The  term 
"health  information  plan  sponsor"  means — 

(A)  a  carrier  or  an  eligible  sponsor  (as  defined 
in  section  1311(b))  providing  a  health  plan;  and 

(B)  a  carrier  or  other  person  providing  any  other 
health  information  plsm,  including  any  public  en- 
tity that  provides  pajrments  for  health  care  items 
and  services  under  a  health  information  plan  that 
are  equivalent  to  payments  provided  by  a  private 
person  under  such  a  plan. 

(9)  Health  information  protection  organiza- 
tion.— ^The  term  "health  information  protection  orga- 
nization" means  a  private  entity  or  an  entity  operated 
by  a  State  that  accesses  standard  health  information 
through  the  health  information  network  and  processes 
such  information  into  standard  non-identifiable  health 
information. 

(10)  Health  service  provider.— The  term  "health 
service  provider"  means  a  provider  of  services  (as  de- 
fined in  section  186  l(u)  of  the  Social  Security  Act),  a 
physician,  a  laboratory  (as  defined  in  section  353(a)  of 
the  Public  Health  Service  Act),  a  supplier,  and  any 
other  person  furnishing  health  care.  Such  term  in- 
cludes a  Federal  or  State  program  that  directly  pro- 
vides items  or  services  that  constitute  health  care  to 
beneficiaries. 

(11)  Non-identifiable  health  information.— The 
term  "non-identifiable  health  information"  means 
health  information  that  is  not  protected  health  infor- 
mation. 

(12)  Patient  medical  record  information.— The 
term  "patient  medical  record  information"  means 
health  information  derived  from  a  clinical  encounter 
that  relates  to  the  past,  present,  or  future  physical  or 
mental  health  or  condition  or  functional  status  of  an 
individual. 

(13)  Protected  health  information. — ^The  term 
"protected  health  information"  has  the  meaning  given 
such  term  in  section  5120(a)(3). 

(14)  Standard.— The  term  "standard",  when  used 
with  reference  to  health  information  or  a  transaction 
involving  such  information,  means  that  the  informa- 
tion or  transaction  meets  any  standard  established  by 
the  Secretary  under  section  5103  that  applies  to  the 
information  or  transaction. 
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Subpart  A — Standards  and  Requirements 
With  Respect  to  Health  Information,  In- 
formation Transactions,  and  Health  Infor- 
mation Network  Services 

SEC.  5103.  STANDARDS  FOR  HEALTH  INFORMATION  AND  IN- 
FORMATION TRANSACTIONS. 

(a)  Standards  to  Ensure  Comparability  of  Informa- 
tion.— 

(1)  In  GENERAL.— The  Secretary  shall  estabUsh 
standards  necessary  to  make  a  set  of  health  informa- 
tion described  in  subsection  (b)  that  is  created  by  a 
health  information  plan  sponsor  or  a  health  service 
provider  comparable  with  the  same  set  of  information 
created  by  another  such  sponsor  or  provider. 

(2)  Data  elements.— The  standards  shall  specifi- 
cally define  the  data  elements  that  comprise  each  set 
of  health  information  described  in  subsection  (b). 

(3)  Format.— The  standards  shall  include  uniform 
presentation  and  format  requirements  for  the  arrange- 
ment of  data  elements. 

(4)  Electronic— The  standards  shall  require  that 
health  information  be  in  electronic  or  magnetic  form. 

(5)  Unique  identifiers.— The  Secretary  shall  estab- 
lish a  system  to  provide  for  a  unique  identifier  for 
each  eligible  individual,  employer,  health  information 
plan,  health  information  plan  sponsor,  and  health 
service  provider. 

(6)  Code  sets. — ^The  Secretary,  in  consultation  with 
experts  from  the  private  sector  and  Federal  agencies — 

(A)  shall  select  code  sets  for  appropriate  data 
elements  from  among  the  code  sets  that  have  been 
developed  by  private  and  public  entities;  or 

(B)  shall  establish  code  sets  for  appropriate  data 
elements  if  no  code  set  for  the  data  elements  has 
been  developed  by  such  entities. 

(b)  Sets  of  Health  Information.— 

(1)  Plan  and  provider  transactions.— The  Sec- 
retary shall  establish  a  separate  set  of  health  informa- 
tion that  is  appropriate  for  transmission  in  connection 
with  each  transaction  described  in  subsections  (a)  and 
(b)  of  section  5104. 

(2)  Encounter  information.— The  Secretary  shall 
establish  a  set  of  encounter  information  (including  pa- 
tient medical  record  information)  derived  from  inpa- 
tient and  outpatient  clinical  encounters  that  the  Sec- 
retary determines — 

(A)  is  appropriate  for  creation  by  a  health  serv- 
ice provider  to  the  extent  the  sponsor  does  not  file 
claims  for  reimbursement  for  items  and  services 
with  health  information  plan  sponsors;  and 

(B)  is  necessary  to  provide  information  regard- 
ing the  operation  of  such  a  health  service  pro- 
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vider,  and  health-related  items  and  services  pro- 
vided by  the  provider,  that  is  equivalent  to  infor- 
mation derived  from  claims. 

(3)  Patient  medical  record  information.— The 
Secretary  shall  establish  a  set  of  patient  medical 
record  information. 

(4)  Additions  to  sets. — ^The  Secretary  may  make 
additions  to  a  set  of  health  information  established 
under  paragraph  (1),  (2),  or  (3)  as  the  Secretary  deter- 
mines appropriate  in  a  manner  that  minimizes  the 
disruption  to,  and  costs  of  compliance  incurred  by,  a 
health  information  plan  sponsor  or  a  health  service 
provider  that  is  required  to  comply  with  section  5104. 

(c)  Standards  for  Information  Transactions.— The 
Secretary  shall  establish  standards  relating  to  technical 
aspects  of  the  procedure,  method,  and  mode  by  which  a 
health  information  plan  sponsor  or  a  health  service  pro- 
vider that  is  required  to  comply  with  section  5104  may 
transmit  electronically  under  section  5104  health  informa- 
tion that  is  included  in  a  set  of  health  information  de- 
scribed in  subsection  (b).  The  standards  shall  include 
standards  with  respect  to  the  format  in  which  such  infor- 
mation shall  be  transmitted  under  such  section. 

(d)  General  Requirements. — In  establishing  standards 
under  this  section,  the  Secretary  shall,  to  the  maximum 
extent  practicable — 

(1)  require  the  use  of  information  that  is  verifiable, 
timely,  accurate,  reliable,  useful,  and  relevant; 

(2)  establish  standards  that  are  consistent  with  the 
objective  of  reducing  the  costs  of  providing  and  paying 
for  health  care; 

(3)  incorporate  standards  that  are  in  use  and  gen- 
erally accepted,  or  developed,  by  standard  setting  or 
standard  development  organizations,  including  the 
American  National  Standard  Institute  Federation  and 
the  Healthcare  Informatics  Standards  Planning  Panel; 
and 

(4)  rely  on  and  cooperate  with  organizations  de- 
scribed in  paragraph  (3). 

(e)  Timetables  for  Standards. — 

(1)  Initial  standards.— 

(A)  In  general. — ^The  Secretary  shall  develop 
an  expedited  process  for  the  establishment  of  ini- 
tial standards  under  this  section. 

(B)  Standards  to  ensure  comparability  of 
information. — 

(i)  In  general. — ^Except  as  provided  in 
clause  (ii),  not  later  than  9  months  after  the 
date  of  the  enactment  of  this  Act,  the  Sec- 
retary shall  establish  standards  under  sub- 
section (a)  with  respect  to  each  set  of  health 
information  described  in  subsection  (b). 

(ii)  Exceptions. — ^Not  later  than  24  months 
after  the  date  of  the  enactment  of  this  Act, 
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the  Secretary  shall  establish  standards  under 
subsection  (a)  with  respect  to  health  informa- 
tion that  is  appropriate  for  transmission  in 
connection  with  the  submission  of  a  claim  at- 
tachment and  the  set  of  patient  medical 
record  information  established  under  sub- 
section (b)(3).  The  Secretary  shall  establish 
standards  under  subsection  (a)  with  respect  to 
health  information  that  is  added  to  a  set  of 
health  information  under  subsection  (b)(4)  in 
conjunction  with  making  such  addition. 
(C)  Standards  for  information  trans- 
actions.— 

(i)  In  general. — Except  as  provided  in 
clause  (ii),  the  Secretary  shall  establish  stand- 
ards under  subsection  (c)  not  later  than  9 
months  after  the  date  of  the  enactment  of  this 
Act. 

(ii)  Exception. — Not  later  than  24  months 
after  the  date  of  the  enactment  of  this  Act, 
the  Secretary  shall  establish  standards  under 
subsection  (c)  with  respect  to  the  submission 
of  a  claim  attachment. 

(2)  Modifications  to  standards.— 

(A)  In  general. — Except  as  provided  in  sub- 
paragraph (B),  the  Secretary  shall  review  the 
standards  established  under  this  section  and  shall 
modify  such  standards  as  determined  appropriate, 
but  not  more  frequently  than  once  every  6 
months.  Any  modification  under  this  subpara- 
graph shall  be  made  in  a  manner  that  minimizes 
the  disruption  to,  and  costs  of  compliance  incurred 
by,  a  health  information  plan  sponsor  or  a  health 
service  provider  that  is  required  to  comply  with 
section  5104. 

(B)  Special  rules. — 

(i)  Modifications  during  first  i2-month 
PERIOD. — ^The  Secretary  may  not  modify  a 
standard  established  under  this  section  dur- 
ing the  12-month  period  beginning  on  the 
date  the  standard  is  established  unless  the 
Secretary  determines  that  a  modification  is 
necessary  in  order  to  permit  a  health  informa- 
tion plan  sponsor  or  a  health  service  provider 
to  comply  with  section  5104. 

(ii)  Additions  and  modifications  to  code 

SETS.— 

(I)  In  general. — The  Secretary  shall 
ensure  that  procedures  exist  for  the  rou- 
tine maintenance,  testing,  enhancement, 
and  expansion  of  code  sets  to  accommo- 
date changes  in  biomedical  science  and 
health  care  delivery. 
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(II)  Additional  rules. — If  a  code  set  is 
modified  under  this  clause,  the  modified 
code  set  shall  include  instructions  on  how 
data  elements  that  were  encoded  prior  to 
the  modification  are  to  be  converted  or 
translated  so  as  to  preserve  the  value  of 
the  data  elements.  Any  modification  to  a 
code  set  under  this  subsection  shall  be 
implemented  in  a  manner  that  minimizes 
the  disruption  to,  and  costs  of  compliance 
incurred  by,  a  health  information  plan 
sponsor  or  a  health  service  provider  that 
is  required  to  comply  with  section  5104. 

(f)  Evaluation  of  Standards.— The  Secretary  may  es- 
tablish a  process  to  measure  or  verify  the  consistency  of 
standards  established  or  modified  under  this  section.  The 
process  may  include  demonstration  projects  and  analysis  of 
the  cost  of  implementing  such  standards  and  modifica- 
tions. 

(g)  Distribution  of  Code  Sets. — ^The  Secretary  shall 
establish  efficient  and  low-cost  procedures  for  the  distribu- 
tion of  code  sets  that  are  selected,  established,  or  modified 
under  this  section. 

SEC.  5104.  REQUIREMENTS  ON  PLANS  AND  PROVTOERS. 

(a)  Transactions  by  Plans  and  Providers. — 

(1)  In  general. — If  a  health  information  plan  spon- 
sor conducts  any  of  the  transactions  described  in  para- 
graph (2)  with  a  health  service  provider,  the  trans- 
action shall  be  a  standard  transaction  and  the  health 
information  transmitted  or  received  in  connection  with 
the  transaction  shall  be  standard  health  information. 

(2)  Transactions. — ^The  transactions  referred  to  in 
paragraph  (1)  are  the  following: 

(A)  Claim  submission. 

(B)  Submission  of  claim  attachments. 

(C)  Coordination  of  benefits. 

(D)  Such  other  transactions  required  under  this 
Act  or  determined  appropriate  by  the  Secretary  as 
the  Secretary  may  specify  consistent  with  the  goal 
of  reducing  administrative  costs. 

(b)  Transactions  by  Plans.— 

(1)  In  general. — If  a  health  information  plan  spon- 
sor conducts  any  of  the  transactions  described  in  para- 
graph (2)  with  any  person  (other  than  an  individual 
acting  in  the  capacity  of  an  eligible  individual  or  a 
consumer  of  health  care  services),  the  transaction 
shall  be  a  standard  transaction  and  the  health  infor- 
mation transmitted  or  received  by  the  sponsor  in  con- 
nection with  the  transaction  shall  be  standard  health 
information. 

(2)  Transactions. — ^The  transactions  referred  to  in 
paragraph  (1)  are  the  following: 

(A)  Enrollment  and  disenrollment. 

(B)  Eligibility  verification. 
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(C)  Payment  and  remittance  advice. 

(D)  Claims  status  verification. 

(E)  Certification  or  authorization  of  a  referral  to 
a  health  service  provider  who  is  not  a  member  of 
a  provider  network  of  the  health  information  plan 
provided  or  sponsored  by  the  sponsor. 

(F)  Such  other  transactions  required  under  this 
Act  or  determined  appropriate  by  the  Secretary  as 
the  Secretary  may  specify  consistent  with  the  goal 
of  reducing  administrative  costs. 

(c)  Disclosure  of  Information.— 

(1)  In  general.~A  health  information  plan  sponsor 
or  a  health  service  provider  shall  have  the  capacity  to 
make  the  standard  health  information  transmitted  or 
received  by  the  sponsor  or  provider  in  connection  with 
standard  transactions  described  in  subsections  (a)(2) 
and  (b)(2),  or  acquired  by  the  sponsor  or  provider  pur- 
suant to  section  5108(a),  available  for  disclosure  as  au- 
thorized under  section  5105  and  part  2. 

(2)  Special  rule.— To  the  extent  that  a  health  serv- 
ice provider  does  not  file  claims  for  reimbursement  for 
items  and  services  with  health  information  plan  spon- 
sors, the  provider  shall  have  the  capacity  to  make 
standard  health  information  regarding  the  items  and 
services  that  is  included  in  the  set  of  encounter  data 
established  by  the  Secretary  under  section  5103(b)(2) 
available  for  disclosure  as  authorized  under  section 
5105  and  part  2. 

(d)  Use  of  Health  Information  Network  Services. — 
A  health  information  plan  sponsor  or  a  health  service  pro- 
vider may  comply  with  any  provision  of  this  section  by  en- 
tering into  an  agreement  or  other  arrangement  with  a 
health  information  network  service  certified  under  section 
5107  pursuant  to  which  the  service  undertakes  the  duties 
applicable  to  the  sponsor  or  provider  under  the  provision. 

(e)  Timeliness. — A  health  information  plan  sponsor  or  a 
health  service  provider  shall  be  considered  to  have  satis- 
fied a  requirement  under  this  section  only  if  any  action  re- 
quired to  be  taken  by  the  sponsor  or  provider  under  the  re- 
quirement is  completed  in  a  timely  manner,  as  determined 
under  standards  established  by  the  Secretary.  In  setting 
standards  under  this  subsection,  the  Secretary  shall  take 
into  consideration — 

(1)  the  age  and  amount  of  the  health  information  to 
which  the  requirement  pertains;  and 

(2)  the  ability  of  a  sponsor  or  provider  to  comply 
with  the  requirement. 

(f)  Timetables  for  Compliance.— 

(1)  Initial  compliance.— 

(A)  In  general.— Not  later  than  12  months 
after  the  date  on  which  standards  are  established 
under  section  5103  with  respect  to  a  transaction 
referred  to  in  subsection  (a)(1)  or  (b)(1)  or  a  set  of 
health  information  described  in  section  5103(b),  a 
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health  information  plan  sponsor  or  health  service 
provider  shall  comply  with  the  requirements  of 
this  section  with  respect  to  the  transaction  or  in- 
formation. 

(B)  Additional  health  information. — ^Not 
later  than  12  months  after  the  date  on  which  the 
Secretary  makes  an  addition  to  a  set  of  health  in- 
formation under  section  5103(b),  a  health  informa- 
tion plan  sponsor  or  health  service  provider  shall 
comply  with  the  requirements  of  this  section  with 
respect  to  the  additional  information. 
(2)  Compliance  with  modified  standards. — 

(A)  In  general. — If  the  Secretary  modifies  a 
standard  established  under  section  5103,  a  health 
information  plan  sponsor  or  health  service  pro- 
vider shall  com^ply  with  the  modified  standard  at 
such  time  as  the  Secretary  determines  appro- 
priate, taking  into  account  the  nature  and  intent 
of  the  modification. 

(B)  Special  rule. — ^In  the  case  of  a  modification 
to  a  standard  under  subparagraph  (A)  that  does 
not  occur  within  the  12-month  period  beginning 
on  the  date  the  standard  is  established,  the  time 
determined  appropriate  by  the  Secretary  under 
subparagraph  (A)  may  not  be — 

(i)  earlier  than  the  last  day  of  the  90-day 
period  beginning  on  the  date  the  modified 
standard  is  established;  or 

(ii)  later  than  the  last  day  of  the  12-month 
period  beginning  on  the  date  the  standard  is 
established. 

SEC.  5105.  ACCESSING  HEALTH  INFORMATION. 

(a)  Access  for  Authorized  Purposes.— The  Secretary 
shall  establish  standards  under  which  appropriate  persons, 
including  health  information  plan  sponsors,  health  service 
providers,  health  information  network  services,  and  Fed- 
eral and  State  agencies,  may  locate  and  access  standard 
health  information  described  in  section  5104(c)  through 
the  health  information  network.  The  standards  shall  in- 
clude safeguards  to  ensure  that  a  person  requesting  health 
information  is  authorized  under  part  2  to  receive  the  infor- 
mation. 

(b)  Access  by  Federal  and  State  Agencies.— A  health 
information  protection  organization  that  is  certified  under 
section  5107  shall  make  available  to  a  Federal  or  State 
agency  pursuant  to  a  cost-t5rpe  contract  (as  defined  under 
the  Federal  Acquisition  Regulation)  any  standard  health 
information  described  in  section  5104(c)  that — 

(1)  is  requested  by  the  agency;  and 

(2)  both  the  agency  and  the  organization  are  author- 
ized to  receive  under  part  2. 

(c)  Access  by  Health  Information  Protection  Orga- 
nizations.— If  a  health  information  protection  organiza- 
tion that  is  certified  under  section  5107  requires  health  in- 
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formation  from  a  health  information  plan  sponsor  or  a 
health  service  provider  in  order  to  comply  with  a  request 
by  a  Federal  or  State  agency  under  subsection  (b)  that  is 
made  to  fulfill  a  requirement  under  this  Act,  the  sponsor 
or  provider  shall  make  the  information  available  to  the  or- 
ganization at  no  charge. 

(d)  Length  of  Time  Information  Accessible.— The 
Secretary  shall  establish  standards  with  respect  to  the 
length  of  time  any  data  element  in  a  set  of  health  informa- 
tion established  under  section  5103(b)  should  be  available 
through  the  health  information  network  under  this  section. 

(e)  Use  of  Health  Information  Network  Services. — 
A  health  information  plan  sponsor  or  a  health  service  pro- 
vider may  comply  with  any  provision  of  this  section  by  en- 
tering into  an  agreement  or  other  arrangement  with  a 
health  information  network  service  certified  under  section 
5107  pursuant  to  which  the  service  undertakes  the  duties 
applicable  to  the  sponsor  or  provider  under  the  provision. 

(f)  Timetables  for  Standards  and  Compliance.— 

(1)  INITLU.  standards.— The  Secretary  shall  estab- 
lish standards  under  this  section  not  later  than  9 
months  after  the  enactment  of  this  Act  and  such 
standards  shall  be  effective  upon  establishment. 

(2)  Modifications  to  standards. — 

(A)  In  general. — Except  as  provided  in  sub- 
paragraph (B),  the  Secretary  shall  review  the 
standards  established  under  this  section  and  shall 
modify  the  standards  as  determined  appropriate, 
but  not  more  frequently  than  once  every  6 
months.  Any  modification  under  this  subpara- 
graph shall  be  made  in  a  manner  that  minimizes 
the  disruption  to,  and  costs  of  compliance  incurred 
by,  a  health  information  plan  sponsor  or  a  health 
service  provider  that  is  required  to  comply  with 
section  5104.  Any  modification  to  a  standard 
under  this  section  shall  be  effective  upon  estab- 
lishment. 

(B)  Special  rule.— The  Secretary  may  not  mod- 
ify any  standard  under  this  section  during  the  12- 
month  period  beginning  on  the  date  the  standard 
is  established  unless  the  Secretary  determines 
that  a  modification  is  necessary  in  order  to  permit 
a  health  information  plan  sponsor  or  a  health 
service  provider  to  comply  with  this  section  or  sec- 
tion 5104(c). 

SEC.  5106.  PROTECTION  OF  COMMERCIAL  INFORMATION. 

In  establishing  standards  under  this  part,  the  Secretary 
shall  not  require  disclosure  of  trade  secrets  and  confiden- 
tial commercial  information  by  entities  operating  in  the 
health  information  network  except  as  required  under  a  law 
other  than  this  Act. 


12 


SEC.  5107.  STANDARDS  AND  CERTIFICATION  FOR  HEALTH  IN- 
FORMATION NETWORK  SERVICES. 

(a)  Standards  for  Operations. — ^The  Secretary  shall 
establish  standards  with  respect  to  the  operation  of  health 
information  network  services,  including  standards  ensur- 
ing that  such  services — 

(1)  develop,  operate,  and  cooperate  with  one  another 
to  form  a  health  information  network; 

(2)  meet  all  of  the  requirements  under  part  2  that 
are  applicable  to  such  services; 

(3)  make  public  information  concerning  their  per- 
formance, as  measured  by  uniform  indicators  such  as 
accessibility,  transaction  responsiveness,  administra- 
tive efficiency,  reliability,  dependability,  and  any  other 
indicator  determined  appropriate  by  the  Secretary; 
and 

(4)  have  the  highest  security  procedures  that  are 
practicable  with  respect  to  the  processing  and  han- 
dling of  health  information. 

(b)  Certification  by  Secretary. — 

(1)  Establishment  of  procedure. — Not  later  than 
12  months  after  the  date  of  the  enactment  of  this  Act, 
the  Secretary  shall  establish  a  certification  procedure 
for  health  information  network  services  which  ensures 
that  services  certified  under  this  section  are  quali- 
fied— 

(A)  to  meet  the  requirements  of  this  part  and 
the  standards  established  by  the  Secretary  under 
this  section;  and 

(B)  to  ensure  the  confidentiality  of  protected 
health  information  as  required  under  part  2. 

(2)  Deemed  certification. — ^The  Secretary  may 
designate  private  individuals  or  entities  to  conduct  the 
certification  procedure  established  by  the  Secretary 
under  this  subsection.  A  health  information  network 
service  certified  by  such  an  individual  or  entity  in  ac- 
cordance with  such  designation  shall  be  considered  to 
be  certified  by  the  Secretary  under  this  subsection. 

(3)  Application  for  certification. — Each  entity 
desiring  to  be  certified  as  a  health  information  net- 
work service  shall  apply  to  the  Secretary  for  certifi- 
cation in  a  form  and  manner  determined  appropriate 
by  the  Secretary. 

(4)  Audits  and  reports.— The  procedure  estab- 
lished under  paragraph  (1)  shall  provide  for  audits  by 
the  Secretary  and  reports  by  an  entity  certified  under 
this  section  as  the  Secretary  determines  appropriate 
in  order  to  monitor  the  compliance  by  the  entity  with 
the  requirements  of  this  part  and  the  standards  estab- 
lished by  the  Secretary  under  this  section. 

(5)  Recertification.— A  health  information  net- 
work service  shall  be  recertified  under  this  subsection 
not  less  than  every  3  years. 

(c)  Loss  OF  Certification. — 
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(1)  Mandatory  termination. — If  a  health  informa- 
tion network  service  violates  a  provision  of  part  2,  the 
certification  of  the  service  under  this  section  shall  be 
terminated  unless  the  Secretary  determines  that  ap- 
propriate corrective  action  has  been  taken. 

(2)  Discretionary  termination. — If  a  health  infor- 
mation service  violates  a  requirement  or  standard 
under  this  part  and  a  penalty  has  been  imposed  under 
section  5110,  the  Secretary  shall  review  the  certifi- 
cation of  the  service  and  may  terminate  the  certifi- 
cation. 

SEC.  5108.  HEALTH  INFORMATION  CONTINUITY 

(a)  Information  Held  by  Plans  and  Providers.— If  a 
health  information  plan  sponsor  or  health  service  provider 
ceases  to  function,  in  a  manner  that  would  threaten  the 
continued  availability  of  the  standard  health  information 
held  by  the  sponsor  or  provider,  the  health  information 
may  be  obtained  by  the  State  in  which  the  sponsor  or  pro- 
vider is  located. 

(b)  Information  Held  by  Health  Information  Net- 
work Services. — If  a  health  information  network  service 
is  decertified  or  ceases  to  function,  in  a  manner  that  would 
threaten  the  continued  availability  of  the  standard  health 
information  held  by  the  service,  the  health  information 
shall  be  transferred  to  a  health  information  network  serv- 
ice that  is  certified  under  section  5106  and  designated  by 
the  Secretary  to  receive  the  information. 

SEC.  5109.  IMPOSITION  OF  ADDITIONAL  REQUIREMENTS. 

(a)  In  General. — ^After  the  Secretary  establishes  stand- 
ards under  section  5103  that  are  necessary  to  make  a  set 
of  health  information  described  in  section  5103(b)  com- 
parable and  compatible  for  electronic  transmission,  a 
health  information  plan  sponsor  or  a  health  service  pro- 
vider may  not  require  health  information  plan  sponsor  or 
health  service  provider  to  provide  in  any  manner  any 
health  information  that  is  not  included  in  such  set  in  con- 
nection with  a  transaction  described  in  subsection  (a)(2)  or 
(b)(2)  of  section  5104  unless — 

(1)  the  sponsor  or  provider  voluntarily  agrees  to  the 
imposition  of  such  additional  requirement;  or 

(2)  a  waiver  is  granted  under  subsection  (b)  to  estab- 
lish such  additional  requirement. 

(b)  Conditions  for  Waivers. — 

(1)  In  general. — health  information  plan  sponsor 
or  health  service  provider  may  request  a  waiver  from 
the  Secretary  in  order  to  require  a  health  information 
plan  sponsor  or  health  service  provider  to  provide  ad- 
ditional data  described  in  subsection  (a). 

(2)  Consideration  of  waiver  requests. — waiver 
may  not  be  granted  under  this  subsection  unless  the 
Secretary  determines  that  the  value  of  the  additional 
data  to  be  provided  for  research  or  other  purposes  sig- 
nificantly outweighs  the  administrative  cost  of  the  im- 
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position  of  the  additional  requirement,  taking  into  ac- 
count the  burden  of  the  timing  of  the  imposition  of  the 
additional  requirement. 

(3)  Anonymous  reporting— If  a  health  information 
plan  sponsor  or  a  health  service  provider  attempts  to 
require  a  health  information  plan  sponsor  or  health 
service  provider  to  provide  additional  data  described 
in  subsection  (a),  the  sponsor  or  provider  on  which 
such  additional  requirement  is  being  imposed  may 
contact  the  Secretary.  The  Secretary  shall  develop  a 
procedure  under  which  a  sponsor  or  provider  that  con- 
tacts the  Secretary  under  the  preceding  sentence  shall 
remain  anonymous.  The  Secretary  shall  notify  the 
sponsor  or  provider  imposing  the  additional  require- 
ment that  the  requirement  may  not  be  imposed  unless 
the  other  sponsor  or  provider  voluntarily  agrees  to 
such  requirement  or  a  waiver  is  obtained  under  this 
subsection. 

SEC.  5110.  CIVIL  MONEY  PENALTIES. 

(a)  In  General. — ^Any  person  who  the  Secretary  deter- 
mines is  required,  but  has  failed,  to  comply  with  a  require- 
ment or  standard  imposed  under  this  part  shall  be  subject, 
in  addition  to  any  other  penalties  that  may  be  prescribed 
by  law,  to  a  civil  money  penalty  of  not  more  than  $1,000 
for  each  such  failure. 

(b)  Limitations.— 

(1)  Failures  due  to  reasonable  cause.— 

(A)  In  general. — Except  as  provided  in  sub- 
paragraphs (B)  and  (C)  and  paragraph  (3),  a  pen- 
alty may  not  be  imposed  under  subsection  (a)  if 
the  failure  to  comply — 

(i)  was  due  to  reasonable  cause  and  not  to 
willful  neglect  (including  a  failure  by  a  person 
who  did  not  know,  and  by  exercising  reason- 
able diligence  would  not  have  known,  that  the 
person  failed  to  comply);  and 

(ii)  is  corrected  during  the  30-day  period  be- 
ginning on  the  1st  date  the  person  liable  for 
the  penalty  knew,  or  by  exercising  reasonable 
diligence  would  have  known,  that  the  failure 
to  comply  occurred. 

(B)  Extension  of  period.— The  period  referred 
to  in  subparagraph  (A)(ii)  may  be  extended  as  de- 
termined appropriate  by  the  Secretary  based  on 
the  nature  and  extent  of  the  failure  involved. 

(C)  Assistance. — If  the  Secretary  determines 
that  a  health  information  plan  sponsor  or  health 
service  provider  failed  to  comply  with  a  require- 
ment or  standard  imposed  under  this  part  because 
the  sponsor  or  provider  was  unable  to  comply,  a 
penalty  may  not  be  imposed  under  subsection  (a) 
and  the  Secretary  may  provide  technical  assist- 
ance to  the  sponsor  or  provider  in  any  manner  de- 
termined appropriate  by  the  Secretary. 
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(2)  Waiver. — Except  as  provided  in  paragraph  (3), 
in  the  case  of  a  failure  to  comply  which  is  due  to  rea- 
sonable cause  and  not  to  willful  neglect,  any  penalty 
under  subsection  (a)  that  is  not  entirely  waived  under 
paragraph  (1)  may  be  waived  to  the  extent  that  the 
payment  of  such  penalty  would  be  excessive  relative  to 
the  compliance  failure  involved. 

(3)  Exception. — ^Paragraphs  (1)  and  (2)  do  not  apply 
to  a  failure  by  a  health  information  network  service  to 
comply  with  section  5108(b). 

(c)  Administrative  Review. — 

(1)  Opportunity  for  hearing. — person  assessed 
under  subsection  (a)  shall  be  afforded  an  opportunity 
for  hearing  by  the  Secretary  upon  request  made  with- 
in 30  days  after  the  date  of  the  issuance  of  a  notice  of 
assessment.  All  hearings  shall  be  determined  on  the 
record  pursuant  to  section  554  of  title  5,  United  States 
Code.  If  no  hearing  is  requested,  the  assessment  shall 
constitute  a  final  and  unappealable  order. 

(2)  Hearing  procedure. — If  a  hearing  is  requested, 
the  initial  agency  decision  shall  be  made  by  an  admin- 
istrative law  judge,  and  such  decision  shall  become  the 
final  order  unless  the  Secretary  modifies  or  vacates 
the  decision.  Notice  of  intent  to  modify  or  vacate  the 
decision  of  the  administrative  law  judge  shall  be  is- 
sued to  the  parties  within  30  days  after  the  date  of  the 
decision  of  the  judge.  A  final  order  which  takes  effect 
under  this  paragraph  shall  be  subject  to  review  only 
as  provided  under  subsection  (d). 

(d)  Judicial  Review. — 

(1)  Filing  of  action  for  review. — ^Any  person 
against  whom  an  order  imposing  a  civil  money  penalty 
has  been  entered  after  an  agency  hearing  under  this 
section  may  obtain  review  by  the  United  States  dis- 
trict court  for  any  district  in  which  such  person  is  lo- 
cated or  the  United  States  District  Court  for  the  Dis- 
trict of  Columbia  by  filing  a  notice  of  appeal  in  such 
court  within  30  days  from  the  date  of  such  order,  and 
simultaneously  sending  a  copy  of  such  notice  be  reg- 
istered mail  to  the  Secretary. 

(2)  Certification  of  administrative  record.— The 
Secretary  shall  promptly  certify  and  file  in  such  court 
the  record  upon  which  the  penalty  was  imposed. 

(3)  Standard  for  review.— The  findings  of  the  Sec- 
retary shall  be  set  aside  only  if  found  to  be  unsup- 
ported by  substantial  evidence  as  provided  by  section 
706(2)(E)  of  title  5,  United  States  Code. 

(4)  Appeal. — ^Any  final  decision,  order,  or  judgment 
of  such  district  court  concerning  such  review  shall  be 
subject  to  appeal  as  provided  in  chapter  83  of  title  28 
of  such  Code. 

(e)  Failure  to  Pay  Assessment;  Maintenance  of  Ac- 
tion.— 
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(1)  Failure  to  pay  assessment. — If  any  person  fails 
to  pay  an  assessment  after  it  has  become  a  final  and 
unappealable  order,  or  after  the  court  has  entered 
final  judgment  in  favor  of  the  Secretary,  the  Secretary 
shall  refer  the  matter  to  the  Attorney  General  who 
shall  recover  the  amount  assessed  by  action  in  the  ap- 
propriate United  States  district  court. 

(2)  NONREVIEWABILITY. — In  such  action  the  validity 
and  appropriateness  of  the  final  order  imposing  the 
penalty  shall  not  be  subject  to  review. 

(f)  Payment  of  Penalties. — ^Except  as  otherwise  pro- 
vided, penalties  collected  under  this  section  shall  be  paid 
to  the  Secretary  (or  other  officer)  imposing  the  penalty  and 
shall  be  available  without  appropriation  and  until  ex- 
pended for  the  purpose  of  enforcing  the  provisions  with  re- 
spect to  which  the  penalty  was  imposed. 

Subpart  B — ^Miscellaneous  Provisions 

SEC.  5111.  GENERAL  REQUIREMENT  ON  SECRETARY. 

In  complying  with  any  requirements  imposed  under  this 
part,  the  Secretary  shall  rely  on  recommendations  of  the 
Health  Information  Advisory  Committee  established  under 
section  5112  and  shall  consult  with  appropriate  Federal 
agencies. 

SEC.  5112.  health  INFORMATION  ADVISORY  COMMIFTEE. 

(a)  Establishment. — ^There  is  established  a  committee 
to  be  known  as  the  Health  Care  Information  Advisory 
Committee. 

(b)  Duty. — ^The  committee  shall  provide  assistance  to  the 
Secretary  in  compl3dng  with  the  requirements  imposed  on 
the  Secretary  under  this  part.  In  performing  such  duty, 
the  committee  shall  receive  technical  assistance  from  ap- 
propriate Federal  agencies. 

(c)  Membership. — 

(1)  In  general. — ^The  committee  shall  consist  of  15 
members  to  be  appointed  by  the  President  not  later 
than  60  days  after  the  date  of  the  enactment  of  this 
Act.  The  committee  shall  designate  1  member  as  the 
chairperson  of  the  committee. 

(2)  Expertise. — ^The  membership  of  the  committee 
shall  consist  of  individuals  who  are  of  recognized 
standing  and  distinction  and  who  possess  the  dem- 
onstrated capacity  to  discharge  the  duties  imposed  on 
the  committee. 

(3)  Terms. — Each  member  of  the  committee  shall  be 
appointed  for  a  term  of  5  years,  except  that  the  mem- 
bers first  appointed  shall  serve  staggered  terms  such 
that  the  terms  of  no  more  than  3  members  expire  at 
one  time. 

(4)  Vacancies. — 

(A)  In  general. — ^A  vacancy  on  the  committee 
shall  be  filled  in  the  manner  in  which  the  original 
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appointment  was  made  and  shall  be  subject  to  any 
conditions  which  applied  with  respect  to  the  origi- 
nal appointment. 

(B)  Filling  unexpired  term— An  individual 
chosen  to  fill  a  vacancy  shall  be  appointed  for  the 
unexpired  term  of  the  member  replaced. 

(C)  Expiration  of  terms.— The  term  of  any 
member  shall  not  expire  before  the  date  on  which 
the  member's  successor  takes  office. 

(D)  Conflicts  of  interest.— Members  of  the 
committee  shall  disclose  upon  appointment  to  the 
committee  or  at  any  subsequent  time  that  it  may 
occur,  conflicts  of  interest. 

(d)  Meetings. — 

(1)  In  general. — ^Except  as  provided  in  paragraph 
(2),  the  committee  shall  meet  at  the  call  of  the  chair- 
person. 

(2)  Initial  meeting. — ^Not  later  than  30  days  after 
the  date  on  which  all  members  of  the  committee  have 
been  appointed,  the  committee  shall  hold  its  first 
meeting. 

(3)  Quorum. — majority  of  the  members  of  the 
committee  shall  constitute  a  quorum,  but  a  lesser 
number  of  members  may  hold  hearings. 

(e)  Power  to  Hold  Hearings. — ^The  committee  may 
hold  such  hearings,  sit  and  act  at  such  times  and  places, 
take  such  testimony,  and  receive  such  evidence  as  the  com- 
mittee considers  advisable  to  carry  out  the  purposes  of  this 
section. 

(f)  Other  Administrative  Provisions. — 

(1)  In  general.— The  Panel  may— 

(A)  employ  and  fix  the  compensation  of  an  exec- 
utive director  and  such  other  personnel  (not  to  ex- 
ceed 25)  as  may  be  necessary  to  carry  out  its  du- 
ties (without  regard  to  the  provisions  of  title  5, 
United  States  Code,  governing  appointments  in 
the  competitive  service); 

(B)  seek  such  assistance  and  support  as  may  be 
required  in  the  performance  of  its  duties  from  ap- 
propriate Federal  departments  and  agencies; 

(C)  enter  into  contracts  or  make  other  arrange- 
ments, as  may  be  necessary  for  the  conduct  of  the 
work  of  the  Panel  (without  regard  to  section  3709 
of  the  Revised  Statues  (41  U.S.C.  5)); 

(D)  make  advance,  progress,  and  other  pay- 
ments which  relate  to  the  work  of  the  Panel; 

(E)  provide  transportation  and  subsistence  for 
persons  serving  without  compensation;  and 

(F)  prescribe  such  rules  and  regulations  as  it 
deems  necessary  with  respect  to  the  internal  orga- 
nization and  operation  of  the  Panel. 

(2)  Compensation. — ^While  serving  on  the  business 
of  the  Panel  (including  traveltime),  a  member  of  the 
Panel  shall  be  entitled  to  compensation  at  the  per 
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diem  equivalent  of  the  rate  provided  for  level  IV  of  the 
Executive  Schedule  under  section  5315  of  title  5,  Unit- 
ed States  Code.  While  so  serving  away  from  home  and 
the  regular  place  of  business  of  a  member  of  the 
Panel,  the  member  may  be  allowed  travel  expenses,  as 
authorized  by  the  chairperson  of  the  Panel.  Physicians 
serving  as  personnel  of  the  Panel  may  be  provided  a 
physician  comparability  allowance  by  the  Panel  in  the 
same  manner  as  Grovernment  physicians  may  be  pro- 
vided such  an  allowance  by  an  agency  under  section 
5948  of  title  5,  United  States  Code,  and  for  such  pur- 
pose subsection  (i)  of  such  section  shall  apply  to  the 
Panel  in  the  same  manner  as  the  subsection  applies  to 
the  Tennessee  Valley  Authority.  For  purposes  of  pay 
(other  than  pay  of  members  of  the  Panel)  and  employ- 
ment benefits,  rights,  and  privileges,  all  personnel  of 
the  Panel  shall  be  treated  as  if  they  were  employees 
of  the  United  States  Senate. 

(3)  GAO  AUDITS. — ^The  Panel  shall  be  subject  to  peri- 
odic audit  by  the  General  Accounting  Office. 

(g)  Reports. — 

(1)  In  general. — ^The  committee  shall  annually  pre- 
pare and  submit  to  the  Congress  and  the  Secretary  a 
report  on — 

(A)  the  status  of  the  health  information  network 
established  pursuant  to  this  part,  including — 

(i)  whether  the  network  is  fulfilling  the  pur- 
pose described  in  section  5101;  and 

(ii)  information  relating  to  the  cost  and 
quality  of  health  care  rendered  by  health 
service  providers; 

(B)  the  savings  and  costs  of  the  network;  and 

(C)  any  legislative  recommendations  related  to 
the  network. 

(2)  Availability  to  the  public— Any  information 
in  the  report  submitted  to  the  Congress  under  para- 
graph (1)  shall  be  made  available  to  the  public  unless 
such  information  may  not  be  disclosed  by  law. 

(h)  Duration. — ^Notwithstanding  section  14(a)  of  the 
Federal  Advisory  Committee  Act,  the  committee  shall  con- 
tinue in  existence  under  otherwise  provided  by  law. 

SEC.  5113.  AUTHORITY  TO  MAKE  GRANTS  FOR  DEMONSTRA- 
TION PROJECTS. 

(a)  In  General.— The  Secretary  may  make  grants  for 
demonstration  projects  to  promote  the  development  and 
use  of  electronically  integrated  community-based  health  in- 
formation systems  and  computerized  patient  medical 
records. 

(b)  Applications.— 

(1)  Submission.— To  apply  for  a  grant  under  this 
section  for  any  fiscal  year,  an  applicant  shall  submit 
an  application  to  the  Secretary  in  accordance  with  the 
procedures  established  by  the  Secretary. 


19 

(2)  Criteria  for  approval. — ^The  Secretary  may  not 
approve  an  application  submitted  under  paragraph  (1) 
unless  the  application  includes  assurances  satisfactory 
to  the  Secretary  regarding  the  following: 

(A)  Use  of  existing  technology. — Funds  re- 
ceived under  this  section  will  be  used  to  apply 
telecommunications  and  information  systems  tech- 
nology that  is  in  existence  on  the  date  the  applica- 
tion is  submitted  in  a  manner  that  improves  the 
quality  of  health  care,  reduces  the  costs  of  such 
care,  and  protects  the  privacy  and  confidentiality 
of  information  relating  to  the  physical  or  mental 
condition  of  an  individual. 

(B)  Use  of  existing  information  systems. — 
Funds  received  under  this  section  will  be  used — 

(i)  to  enhance  telecommunications  or  infor- 
mation systems  that  are  operating  on  the  date 
the  application  is  submitted; 

(ii)  to  integrate  telecommunications  or  infor- 
mation systems  that  are  operating  on  the  date 
the  application  is  submitted;  or 

(iii)  to  connect  additional  users  to  tele- 
communications or  information  networks  or 
systems  that  are  operating  on  the  date  the 
application  is  submitted. 

(C)  Matching  funds.— The  applicant  will  make 
available  funds  for  the  demonstration  project  in 
an  amount  that  equals  at  least  50  percent  of  the 
cost  of  the  project. 

(c)  Geographic  Diversity. — In  making  any  grants 
under  this  section,  the  Secretary  shall  make  grants  to  per- 
sons representing  different  geographic  areas  of  the  United 
States,  including  urban  and  rural  areas. 

(d)  Review  and  Sanctions. — ^The  Secretary  shall  review 
at  least  annually  the  compliance  of  a  person  receiving  a 
grant  under  this  section  with  the  provisions  of  this  section. 
The  Secretary  shall  establish  a  procedure  for  determining 
whether  such  a  person  has  failed  to  comply  substantially 
within  the  provisions  of  this  section  and  the  sanctions  to 
be  imposed  for  any  such  noncompliance. 

(e)  Annual  Report. — ^The  Secretary  shall  transmit  an- 
nually to  the  President  and  the  Congress  a  report  contain- 
ing a  detailed  statement  of  the  activities  carried  out  under 
this  section  in  the  preceding  12  months. 

SEC.  5114.  EFFECT  ON  STATE  LAW. 

(a)  In  General. — ^A  provision,  requirement,  or  standard 
under  this  part  shall  supersede  a  provision  of  State  law 
that  requires  medical  or  health  records  (including  billing 
information)  to  be  maintained  in  written  rather  than  elec- 
tronic form,  except  where  the  Secretary  determines  that 
the  provision  is  necessary  to  prevent  fraud  and  abuse,  with 
respect  to  controlled  substances,  or  for  other  purposes. 

(b)  Public  Health  Reporting.— Nothing  in  this  part 
shall  be  construed  to  invalidate  or  limit  the  authority, 
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power,  or  procedures  established  under  any  law  providing 
for  the  reporting  of  disease  or  injury,  child  abuse,  birth,  or 
death,  public  health  surveillance,  or  public  health  inves- 
tigation or  intervention. 

Page  882,  beginning  on  line  19,  strike  "National  Health  Board" 
and  insert  "Secretary". 

Page  882,  line  20,  strike  "modify,  update,  or". 

Page  882,  strike  line  23  and  insert  "a  standard  under  part  1  that 
is  inconsistent  with  the  form  or  requirement.". 

Beginning  on  page  885,  strike  line  11  through  page  886,  line  3 
(and  redesignate  provisions  accordingly). 

Amend  part  2  of  subtitle  B  of  title  V  (pages  871  through  877)  to 
read  as  follows  (and  redesignate  provisions  and  conform  the  table 
of  contents  of  title  V  accordingly): 


PART  2— FAIR  HEALTH  INFORMATION 
PRACTICES 

SEC.  5120.  DEFINITIONS. 

(a)  Definitions  Relating  to  Protected  Health  In- 
formation.— ^For  purposes  of  this  part: 

(1)  Disclose. — ^The  term  "disclose",  when  used  with 
respect  to  protected  health  information  that  is  held  by 
a  health  information  trustee,  means  to  provide  access 
to  the  information,  but  only  if  such  access  is  provided 
by  the  trustee  to  a  person  other  than — 

(A)  the  trustee  or  an  ofRcer  or  employee  of  the 
trustee; 

(B)  an  affiliated  person  of  the  trustee;  or 

(C)  a  protected  individual  who  is  a  subject  of  the 
information. 

(2)  Disclosure.— The  term  "disclosure"  means  the 
act  or  an  instance  of  disclosing. 

(3)  Protected  health  information.— The  term 
"protected  health  information"  means  any  information, 
whether  oral  or  recorded  in  any  form  or  medium — 

(A)  that  is  created  or  received  in  a  State  by — 

(i)  a  health  care  provider; 

(ii)  a  health  benefit  plan  sponsor; 

(iii)  a  health  oversight  agency; 

(iv)  a  health  information  service  organiza- 
tion; or 

(v)  a  public  health  authority; 

(B)  that  relates  in  any  way  to  the  past,  present, 
or  future  physical  or  mental  health  or  condition  or 
functional  status  of  a  protected  individual,  the 
provision  of  health  care  to  a  protected  individual, 
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or  pa3mient  for  the  provision  of  health  care  to  a 
protected  individual;  and 
(C)  that— 

(i)  identifies  the  individual;  or 

(ii)  with  respect  to  which  there  is  a  reason- 
able basis  to  believe  that  the  information  can 
be  used  to  identify  the  individual. 

(4)  Protected  individual.— The  term  "protected  in- 
dividual" means  an  individual  who,  with  respect  to  a 
date— 

(A)  is  living  on  the  date;  or 

(B)  has  died  within  the  2-year  period  ending  on 
the  date. 

(5)  Use. — ^The  term  "use",  when  used  with  respect  to 
protected  health  information  that  is  held  by  a  health 
information  trustee,  means — 

(A)  to  use,  or  provide  access  to,  the  information 
in  any  manner  that  does  not  constitute  a  disclo- 
sure; or 

(B)  any  act  or  instance  of  using,  or  providing  ac- 
cess, described  in  subparagraph  (A). 

(b)  Definitions  Relating  to  Health  Information 
Trustees. — ^For  purposes  of  this  part: 

(1)  Carrier. — ^The  term  "carrier"  means  a  licensed 
insursince  company,  a  hospital  or  medical  service  cor- 
poration (including  an  existing  Blue  Cross  or  Blue 
Shield  organization,  within  the  meaning  of  section 
833(c)(2)  of  the  Internal  Revenue  Code  of  1986),  a 
health  maintenance  organization,  or  other  entity  li- 
censed or  certified  by  a  State  to  provide  health  insur- 
ance or  health  benefits. 

(2)  Health  benefit  plan. — ^The  term  "health  bene- 
fit plan"  means — 

(A)  any  contract  of  health  insurance,  including 
any  hospital  or  medical  service  policy  or  certifi- 
cate, hospital  or  medical  service  plan  contract,  or 
health  maintenance  organization  group  contract, 
that  is  provided  by  a  carrier;  and 

(B)  an  employee  welfare  benefit  plan  or  other 
arrangement  insofar  as  the  plan  or  arrangement 
provides  health  benefits  and  is  funded  in  a  man- 
ner other  than  through  the  purchase  of  one  or 
more  policies  or  contracts  described  in  subpara- 
graph (A). 

(3)  Health  benefit  plan  sponsor. — ^The  term 
"health  benefit  plan  sponsor"  means  a  person  who, 
with  respect  to  a  specific  item  of  protected  health  in- 
formation, receives,  creates,  uses,  maintains,  or  dis- 
closes the  information  while  acting  in  whole  or  in  part 
in  the  capacity  of — 

(A)  a  carrier  providing  a  regional  alliance  health 
plan; 
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(B)  an  eligible  sponsor  (as  defined  in  section 
1311(b))  providing  a  corporate  alliance  health 
plan; 

(C)  a  carrier  or  other  person  providing  any  other 
health  benefit  plan,  including  any  public  entity 
that  provides  payments  for  health  care  items  and 
services  under  a  health  benefit  plan  that  are 
equivalent  to  payments  provided  by  a  private  per- 
son under  such  a  plan;  or 

(D)  an  officer  or  employee  of  a  person  described 
in  subparagraph  (A),  (B),  or  (C). 

(4)  Health  care  provider. — The  term  "health  care 
provider"  means  a  person  who,  with  respect  to  a  spe- 
cific item  of  protected  health  information,  receives, 
creates,  uses,  maintains,  or  discloses  the  information 
while  acting  in  whole  or  in  part  in  the  capacity  of— 

(A)  a  person  who  is  licensed,  certified,  reg- 
istered, or  otherwise  authorized  by  law  to  provide 
an  item  or  service  that  constitutes  health  care  in 
the  ordinary  course  of  business  or  practice  of  a 
profession; 

(B)  a  Federal  or  State  program  that  directly 
provides  items  or  services  that  constitute  health 
care  to  beneficiaries;  or 

(C)  an  officer  or  employee  of  a  person  described 
in  subparagraph  (A)  or  (B). 

(5)  Health  information  service  organization. — 
The  term  "health  information  service  organization" 
means  a  person  who,  with  respect  to  a  specific  item  of 
protected  health  information,  receives,  creates,  uses, 
maintains,  or  discloses  the  information  while  acting  in 
whole  or  in  part  in  the  capacity  of — 

(A)  a  person,  other  than  an  affiliated  person, 
who  performs  specific  functions  for  which  the  Sec- 
retary has  authorized  (by  means  of  a  designation 
or  certification)  the  person  to  receive  access  to 
health  care  data  in  electronic  or  magnetic  form 
that  are  regulated  by  this  Act;  or 

(B)  an  officer  or  employee  of  a  person  described 
in  subparagraph  (A). 

(6)  Health  information  trustee.— The  term 
"health  information  trustee"  means — 

(A)  a  health  care  provider; 

(B)  a  health  information  service  organization; 

(C)  a  health  oversight  agency; 

(D)  a  health  benefit  plan  sponsor; 

(E)  a  public  health  authority; 

(F)  a  health  researcher; 

(G)  a  person  who,  with  respect  to  a  specific  item 
of  protected  health  information,  is  not  described  in 
subparagraphs  (A)  through  (F)  but  receives  the  in- 
formation— 

(i)  pursuant  to — 
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(I)  section  5137  (relating  to  emergency 
circumstances); 

(II)  section  5138  (relating  to  judicial 
and  administrative  purposes); 

(III)  section  5139  (relating  to  law  en- 
forcement); or 

(IV)  section  5140  (relating  to  subpoe- 
nas, warrants,  and  search  warrants);  or 

(ii)  while  acting  in  whole  or  in  part  in  the 
capacity  of  an  officer  or  employee  of  a  person 
described  in  clause  (i). 

(7)  Health  oversight  agency.— The  term  "health 
oversight  agency"  means  a  person  who,  with  respect  to 
a  specific  item  of  protected  health  information,  re- 
ceives, creates,  uses,  maintains,  or  discloses  the  infor- 
mation while  acting  in  whole  or  in  part  in  the  capacity 
of— 

(A)  a  person  who  performs  or  oversees  the  per- 
formance of  an  assessment,  evaluation,  determina- 
tion, or  investigation  relating  to  the  licensing,  ac- 
creditation, or  certification  of  health  care  provid- 
ers; 

(B)  a  person  who— 

(i)  performs  or  oversees  the  performance  of 
an  audit,  assessment,  evaluation,  determina- 
tion, or  investigation  relating  to  the  effective- 
ness of,  compliance  with,  or  applicability  of, 
legal,  fiscal,  medical,  or  scientific  standards  or 
aspects  of  performance  related  to  the  delivery 
of,  or  payment  for,  health  care;  and 

(ii)  is  a  public  agency,  acting  on  behalf  of  a 
public  agency,  acting  pursuant  to  a  require- 
ment of  a  public  agency,  or  carrying  out  ac- 
tivities under  a  State  or  Federal  statute  regu- 
lating the  assessment,  evaluation,  determina- 
tion, or  investigation;  or 

(C)  an  officer  or  employee  of  a  person  described 
in  subparagraph  (A)  or  (B). 

(8)  Health  researcher.— The  term  "health  re- 
searcher" means  a  person  who,  with  respect  to  a  spe- 
cific item  of  protected  health  information,  receives  the 
information — 

(A)  pursuant  to  section  5136  (relating  to  health 
research);  or 

(B)  while  acting  in  whole  or  in  part  in  the  ca- 
pacity of  an  officer  or  employee  of  a  person  de- 
scribed in  subparagraph  (A). 

(9)  Public  health  authority.— The  term  "public 
health  authority"  means  a  person  who,  with  respect  to 
a  specific  item  of  protected  health  information,  re- 
ceives, creates,  uses,  maintains,  or  discloses  the  infor- 
mation while  acting  in  whole  or  in  part  in  the  capacity 
of— 
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(A)  an  authority  of  the  United  States,  a  State, 
or  a  political  subdivision  of  a  State  that  is  respon- 
sible for  public  health  matters; 

(B)  a  person  acting  under  the  direction  of  such 
an  authority;  or 

(C)  an  officer  or  employee  of  a  person  described 
in  subparagraph  (A)  or  (B). 

(c)  Other  Definitions. — ^For  purposes  of  this  part: 

(1)  Affiliated  person. — ^The  term  "affiliated  per- 
son" means  a  person  who — 

(A)  is  not  a  health  information  trustee; 

(B)  is  a  contractor,  subcontractor,  associate,  or 
subsidiary  of  a  person  who  is  a  health  information 
trustee;  and 

(C)  pursuant  to  an  agreement  or  other  relation- 
ship with  such  trustee,  receives,  creates,  uses, 
maintains,  or  discloses  protected  health  informa- 
tion. 

(2)  Approved  health  research  project. — ^The 
term  "approved  health  research  project"  means  a  bio- 
medical, epidemiological,  or  health  services  research  or 
statistics  project,  or  a  research  project  on  behavioral 
and  social  factors  affecting  health,  that  has  been  ap- 
proved by  a  certified  institutional  review  board. 

(3)  Certified  institutional  review  board. — ^The 
term  "certified  institutional  review  board"  means  a 
board — 

(A)  established  by  an  entity  to  review  research 
involving  protected  health  information  and  the 
rights  of  protected  individuals  conducted  at  or 
supported  by  the  entity; 

(B)  established  in  accordance  with  regulations  of 
the  Secretary  under  section  5136(d)(1);  and 

(C)  certified  by  the  Secretary  under  section 
5136(d)(2). 

(4)  Health  care.— The  term  "health  care"— 

(A)  means — 

(i)  any  preventive,  diagnostic,  therapeutic, 
rehabilitative,  maintenance,  or  palliative  care, 
counseling,  service,  or  procedure — 

(I)  with  respect  to  the  physical  or  men- 
tal condition,  or  functional  status,  of  an 
individual;  or 

(II)  affecting  the  structure  or  function 
of  the  human  body  or  any  part  of  the 
human  body,  including  banking  of  blood, 
sperm,  organs,  or  any  other  tissue;  or 

(ii)  any  sale  or  dispensing  of  a  drug,  device, 
equipment,  or  other  item  to  an  individual,  or 
for  the  use  of  an  individual,  pursuant  to  a 
prescription;  but 

(B)  does  not  include  any  item  or  service  that  is 
not  furnished  for  the  purpose  of  maintaining  or 
improving  the  health  of  an  individual. 
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(5)  Law  enforcement  inquiry.— The  term  "law  en- 
forcement inquiry"'  means  a  lawful  investigation  or  of- 
ficial proceeding  inquiring  into  a  violation  of,  or  failure 
to  comply  with,  any  criminal  or  civil  statute  or  any 
regulation,  rule,  or  order  issued  pursuant  to  such  a 
statute. 

(6)  Person. — ^The  term  "person"  includes  an  author- 
ity of  the  United  States,  a  State,  or  a  political  subdivi- 
sion of  a  State. 

Subpart  A — ^Duties  of  Health  Information 
Trustees 


SEC.  5121.  INSPECTION  OF  PROTECTED  HEALTH  INFORMA- 
TION. 

(a)  In  General. — ^Except  as  provided  in  subsection  (b),  a 
health  information  trustee  described  in  subsection  (g)— 

(1)  shall  permit  a  protected  individual  to  inspect  any 
protected  health  information  about  the  individual  that 
the  trustee  maintains,  any  accounting  with  respect  to 
such  information  required  under  section  5124,  and  any 
copy  of  an  authorization  required  under  section  5132 
that  pertains  to  such  information; 

(2)  shall  provide  the  protected  individual  with  a 
copy  of  the  information  upon  request  by  the  individual 
and  subject  to  any  conditions  imposed  by  the  trustee 
under  subsection  (d); 

(3)  shall  permit  a  person  who  has  been  designated 
in  writing  by  the  protected  individual  to  inspect  the 
information  on  behalf  of  the  individual  or  to  accom- 
pany the  individual  during  the  inspection;  and 

(4)  may  offer  to  explain  or  interpret  information  that 
is  inspected  or  copied  under  this  subsection. 

(b)  Exceptions. — health  information  trustee  is  not  re- 
quired by  this  section  to  permit  inspection  or  copjdng  of 
protected  health  information  by  a  protected  individual  if 
any  of  the  following  conditions  apply: 

(1)  Mental  health  treatment  notes. — ^The  infor- 
mation consists  of  psychiatric,  psychological,  or  mental 
health  treatment  notes  about  the  individual,  the  trust- 
ee determines  in  the  exercise  of  reasonable  profes- 
sional judgment  that  inspection  or  copying  of  the  notes 
would  cause  sufficient  harm  to  the  protected  individ- 
ual so  as  to  outweigh  the  desirability  of  permitting  ac- 
cess, and  the  trustee  does  not  disclose  the  notes  to  any 
person  not  directly  engaged  in  treating  the  individual, 
except  with  the  authorization  of  the  individual  or 
under  compulsion  of  law. 

(2)  Information  about  others. — ^The  information 
relates  to  an  individual,  other  than  the  protected  indi- 
vidual or  a  health  care  provider,  and  the  trustee  deter- 
mines in  the  exercise  of  reasonable  professional  judg- 
ment that  inspection  or  copying  of  the  information 
would  cause  sufficient  harm  to  one  or  both  of  the  indi- 
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viduals  so  as  to  outweigh  the  desirabiUty  of  permitting 
access. 

(3)  Endangerment  to  life  or  safety. — Inspection 
or  copying  of  the  information  could  reasonably  be  ex- 
pected to  endanger  the  life  or  physical  safety  of  an  in- 
dividual. 

(4)  Confidential  source. — The  information  identi- 
fies or  could  reasonably  lead  to  the  identification  of  an 
individual  (other  than  a  health  care  provider)  who  pro- 
vided information  under  a  promise  of  confidentiality  to 
a  health  care  provider  concerning  a  protected  individ- 
ual who  is  a  subject  of  the  information. 

(5)  Administrative  purposes. — ^The  information — 

(A)  is  used  by  the  trustee  solely  for  administra- 
tive purposes  and  not  in  the  provision  of  health 
care  to  a  protected  individual  who  is  a  subject  of 
the  information;  and 

(B)  is  not  disclosed  by  the  trustee  to  any  person. 

(6)  Duplicative  information. — ^The  information  du- 
plicates information  available  for  inspection  under 
subsection  (a). 

(7)  Information  compiled  in  anticipation  of  liti- 
gation.— ^The  information  is  compiled  principally — 

(A)  in  anticipation  of  a  civil,  criminal,  or  admin- 
istrative action  or  proceeding;  or 

(B)  for  use  in  such  an  action  or  proceeding. 

(c)  Inspection  and  Copying  of  Segregable  Portion.— 
A  health  information  trustee  shall  permit  inspection  and 
copying  under  subsection  (a)  of  any  reasonably  segregable 
portion  of  a  record  after  deletion  of  any  portion  that  is  ex- 
empt under  subsection  (b). 

(d)  Conditions. — ^A  health  information  trustee  may — 

(1)  require  a  written  request  for  the  inspection  and 
copying  of  protected  health  information  under  this  sec- 
tion; and 

(2)  charge  a  reasonable  cost-based  fee  for — 

(A)  permitting  inspection  of  information  under 
this  section;  and 

(B)  providing  a  copy  of  protected  health  infor- 
mation under  this  section. 

(e)  Statement  of  Reasons  for  Denial.— If  a  health  in- 
formation trustee  denies  in  whole  or  in  part  a  request  for 
inspection  or  copying  under  this  section,  the  trustee  shall 
provide  the  protected  individual  who  made  the  request 
with  a  written  statement  of  the  reasons  for  the  denial. 

(f)  Deadline. — ^A  health  information  trustee  shall  com- 
ply with  or  deny  a  request  for  inspection  or  copying  of  pro- 
tected health  information  under  this  section  within  the  30- 
day  period  beginning  on  the  date  the  trustee  receives  the 
request. 

(g)  Applicability. — This  section  applies  to  a  health  in- 
formation trustee  who  is — 

( 1)  a  health  benefit  plan  sponsor; 

(2)  a  health  care  provider; 
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(3)  a  health  information  service  organization; 

(4)  a  health  oversight  agency;  or 

(5)  a  public  health  authority. 

SEC.  5122.  AMENDMENT  OF  PROTECTED  HEALTH  INFORMA- 
TION. 

(a)  In  General. — A  health  information  trustee  described 
in  subsection  (f)  shall,  within  the  45-day  period  beginning 
on  the  date  the  trustee  receives  from  a  protected  individ- 
ual about  whom  the  trustee  maintains  protected  health  in- 
formation a  written  request  that  the  trustee  correct  or 
amend  the  information,  complete  the  duties  described  in 
one  of  the  following  paragraphs: 

(1)  Correction  or  amendment  and  notifica- 
tion.— ^The  trustee  shall — 

(A)  make  the  correction  or  amendment  re- 
quested; 

(B)  inform  the  protected  individual  of  the 
amendment  or  correction  that  has  been  made; 

(C)  make  reasonable  efforts  to  inform  any  per- 
son who  is  identified  by  the  protected  individual, 
who  is  not  an  employee  of  the  trustee,  and  to 
whom  the  uncorrected  or  unamended  portion  of 
the  information  was  previously  disclosed  of  the 
correction  or  amendment  that  has  been  made;  and 

(D)  at  the  request  of  the  individual,  make  rea- 
sonable efforts  to  inform  any  known  source  of  the 
uncorrected  or  unamended  portion  of  the  informa- 
tion about  the  correction  or  amendment  that  has 
been  made. 

(2)  Reasons  for  refusal  and  review  proce- 
dures.— The  trustee  shall  inform  the  protected  indi- 
vidual of — 

(A)  the  reasons  for  the  refusal  of  the  trustee  to 
make  the  correction  or  amendment; 

(B)  any  procedures  for  further  review  of  the  re- 
fusal; and 

(C)  the  individual's  right  to  file  with  the  trustee 
a  concise  statement  setting  forth  the  requested 
correction  or  amendment  and  the  individual's  rea- 
sons for  disagreeing  with  the  refusal  of  the  trust- 
ee. 

(b)  Standards  for  Correction  or  Amendment.— A 
trustee  shall  correct  or  amend  protected  health  informa- 
tion in  accordance  with  a  request  made  under  subsection 
(a)  if  the  trustee  determines  that  the  information  is  not  ac- 
curate, relevant,  timely,  or  complete  for  the  purposes  for 
which  the  information  may  be  used  or  disclosed  by  the 
trustee. 

(c)  Statement  of  Disagreement. — ^After  a  protected  in- 
dividual has  filed  a  statement  of  disagreement  under  sub- 
section (a)(2)(C),  the  trustee,  in  any  subsequent  disclosure 
of  the  disputed  portion  of  the  information,  shall  include  a 
copy  of  the  individual's  statement  and  may  include  a  con- 
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cise  statement  of  the  trustee's  reasons  for  not  making  the 
requested  correction  or  amendment. 

(d)  CONSTRUCTION.—This  section  may  not  be  construed 
to  require  a  health  information  trustee  to  conduct  a  hear- 
ing or  proceeding  concerning  a  request  for  a  correction  or 
amendment  to  protected  health  information  the  trustee 
maintains. 

(e)  Correction. — ^For  purposes  of  subsection  (a),  a  cor- 
rection is  deemed  to  have  been  made  to  protected  health 
information  when — 

(1)  information  that  is  not  timely,  accurate,  relevant, 
or  complete  is  clearly  marked  as  incorrect;  or 

(2)  supplementary  correct  information  is  made  part 
of  the  information  and  adequately  cross-referenced. 

(f)  Applicability. — ^This  section  applies  to  a  health  infor- 
mation trustee  who  is — 

(1)  a  health  benefit  plan  sponsor; 

(2)  a  health  care  provider; 

(3)  a  health  information  service  organization; 

(4)  a  health  oversight  agency;  or 

(5)  a  public  health  authority. 

SEC.  5123.  NOTICE  OF  INFORMATION  PRACTICES. 

(a)  Preparation  of  Notice.— A  health  information 
trustee  described  in  subsection  (d)  shall  prepare  a  written 
notice  of  information  practices  describing  the  following: 

(1)  The  rights  under  this  part  of  a  protected  individ- 
ual who  is  the  subject  of  protected  health  information, 
including  the  right  to  inspect  and  copy  such  informa- 
tion and  the  right  to  seek  amendments  to  such  infor- 
mation, and  the  procedures  for  authorizing  disclosures 
of  protected  health  information  and  for  revoking  such 
authorizations. 

(2)  The  procedures  established  by  the  trustee  for  the 
exercise  of  such  rights. 

(3)  The  uses  and  disclosures  of  protected  health  in- 
formation that  are  authorized  under  this  part. 

(b)  Dissemination  of  Notice.— A  health  information 
trustee — 

(1)  shall,  upon  request,  provide  any  person  with  a 
copy  of  the  trustee's  notice  of  information  practices 
(described  in  subsection  (a));  and 

(2)  shall  make  reasonable  efforts  to  inform  persons 
in  a  clear  and  conspicuous  manner  of  the  existence 
and  availability  of  such  notice. 

(c)  Model  Notices.— Not  later  than  July  1,  1996,  the 
Secretary,  after  notice  and  opportunity  for  public  comment, 
shall  develop  and  disseminate  model  notices  of  information 
practices  for  use  by  health  information  trustees  under  this 
section. 

(d)  Applicability. — ^This  section  applies  to  a  health  in- 
formation trustee  who  is — 

( 1)  a  health  benefit  plan  sponsor; 

(2)  a  health  care  provider; 

(3)  a  health  information  service  organization;  or 
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(4)  a  health  oversight  agency. 
SEC.  5124.  ACCOUNTING  FOR  DISCLOSURES. 

(a)  In  General. — ^Except  as  provided  in  subsection  (b) 
and  section  5134,  each  health  information  trustee  shall 
create  and  maintain,  with  respect  to  any  protected  health 
information  the  trustee  discloses,  a  record  of — 

(1)  the  date  and  purpose  of  the  disclosure; 

(2)  the  name  of  the  person  to  whom  the  disclosure 
was  made; 

(3)  the  address  of  the  person  to  whom  the  disclosure 
was  made  or  the  location  to  which  the  disclosure  was 
made;  and 

(4)  where  practicable,  a  description  of  the  informa- 
tion disclosed. 

(b)  Regulations.— Not  later  than  July  1,  1996,  the  Sec- 
retary shall  promulgate  regulations  that  exempt  a  health 
information  trustee  from  maintaining  a  record  under  sub- 
section (a)  with  respect  protected  health  information  dis- 
closed by  the  trustee  for  purposes  of  peer  review,  licensing, 
certification,  accreditation,  and  similar  activities. 

SEC.  5125.  SECURITY. 

(a)  In  General. — ^Each  health  information  trustee  who 
receives  or  creates  protected  health  information  that  is 
subject  to  this  part  shall  maintain  reasonable  and  appro- 
priate administrative,  technical,  and  physical  safeguards — 

(1)  to  ensure  the  integrity  and  confidentiality  of  the 
information; 

(2)  to  protect  against  any  reasonably  anticipated — 

(A)  threats  or  hazards  to  the  security  or  integ- 
rity of  the  information;  and 

(B)  unauthorized  uses  or  disclosures  of  the  in- 
formation; and 

(3)  otherwise  ensure  compliance  with  this  part  by 
the  trustee  and  the  officers  and  employees  of  the 
trustee. 

(b)  Guidelines.— Not  later  than  July  1,  1996,  the  Sec- 
retary, after  notice  and  opportunity  for  public  comment, 
shall  develop  and  disseminate  guidelines  for  the  imple- 
mentation of  this  section.  The  guidelines  shall  take  into 
account — 

(1)  the  technical  capabilities  of  record  systems  used 
to  maintain  protected  health  information; 

(2)  the  costs  of  security  measures; 

(3)  the  need  for  training  persons  who  have  access  to 
protected  health  information;  and 

(4)  the  value  of  audit  trails  in  computerized  record 
systems. 
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Subpart  B — ^Use  and  Disclosure  of  Protected 
Health  Information 

SEC.  5131.  GENERAL  LIMITATIONS  ON  USE  AND  DISCLOSURE. 

(a)  Use. — Except  as  otherwise  provided  under  this  part, 
a  health  information  trustee  may  use  protected  health  in- 
formation only  for  a  purpose — 

(1)  that  is  compatible  with  and  directly  related  to 
the  purpose  for  which  the  information — 

(A)  was  collected;  or 

(B)  was  received  by  the  trustee;  or 

(2)  for  which  the  trustee  is  authorized  to  disclose  the 
information  under  this  part. 

(b)  Disclosure. — health  information  trustee  may  dis- 
close protected  health  information  only  as  authorized 
under  this  part. 

(c)  Scope  of  Uses  and  Disclosures. — 

(1)  In  GENERAL. — use  or  disclosure  of  protected 
health  information  by  a  health  information  trustee 
shall  be  limited,  when  practicable,  to  the  minimum 
amount  of  information  necessary  to  accomplish  the 
purpose  for  which  the  information  is  used  or  disclosed. 

(2)  Guidelines.— Not  later  than  July  1,  1996,  the 
Secretary,  after  notice  and  opportunity  for  public  com- 
ment, shall  issue  guidelines  to  implement  paragraph 
(1),  which  shall  take  into  account  the  technical  capa- 
bilities of  the  record  systems  used  to  maintain  pro- 
tected health  information  and  the  costs  of  limiting  use 
and  disclosure. 

(d)  Identification  of  Disclosed  Information  as  Pro- 
tected Information. — ^Except  with  respect  to  protected 
health  information  that  is  disclosed  under  section  5134  (re- 
lating to  next  of  kin  and  directory  information),  a  health 
information  trustee  may  disclose  protected  health  informa- 
tion only  if  the  recipient  has  been  notified  that  the  infor- 
mation is  protected  health  information  that  is  subject  to 
this  part. 

(e)  Agreement  to  Limit  Use  or  Disclosure.— A  health 
information  trustee  who  receives  protected  health  informa- 
tion from  any  person  pursuant  to  a  written  agreement  to 
restrict  use  or  disclosure  of  the  information  to  a  greater 
extent  than  otherwise  would  be  required  under  this  part 
shall  comply  with  the  terms  of  the  agreement,  except 
where  use  or  disclosure  of  the  information  in  violation  of 
the  agreement  is  required  by  law.  A  trustee  who  fails  to 
comply  with  the  preceding  sentence  shall  be  subject  to  sec- 
tion 5171  (relating  to  civil  actions)  with  respect  to  such 
failure. 

(f)  No  General  Requirement  to  Disclose. — Nothing 
in  this  part  shall  be  construed  to  require  a  health  informa- 
tion trustee  to  disclose  protected  health  information  not 
otherwise  required  to  be  disclosed  by  law. 
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SEC.  5132.  AUTHORIZATIONS  FOR  DISCLOSURE  OF  PRO- 
TECTED HEALTH  INFORMATION. 

(a)  Written  Authorizations— A  health  information 
trustee,  other  than  a  health  information  service  organiza- 
tion, may  disclose  protected  health  information  pursuant 
to  an  authorization  executed  by  the  protected  individual 
who  is  the  subject  of  the  information,  if  each  of  the  follow- 
ing requirements  is  satisfied: 

(1)  Writing. — ^The  authorization  is  in  writing, 
signed  by  the  individual,  and  dated  on  the  date  of 
such  signature. 

(2)  Separate  form. — ^The  authorization  is  not  on  a 
form  used  to  authorize  or  facilitate  the  provision  of,  or 
payment  for,  health  care. 

(3)  Trustee  described.— The  trustee  is  specifically 
named  or  generically  described  in  the  authorization  as 
authorized  to  disclose  such  information. 

(4)  Recipient  described. — ^The  person  to  whom  the 
information  is  to  be  disclosed  is  specifically  named  or 
generically  described  in  the  authorization  as  a  person 
to  whom  such  information  may  be  disclosed. 

(5)  Statement  of  intended  uses  and  disclosures 
received. — ^The  authorization  contains  an  acknowl- 
edgment that  the  individual  has  received  a  statement 
described  in  subsection  (b)  from  such  person. 

(6)  Information  described.— The  information  to  be 
disclosed  is  described  in  the  authorization. 

(7)  Authorization  timely  received.— The  author- 
ization is  received  by  the  trustee  during  a  period  de- 
scribed in  subsection  (c)(1). 

(8)  Disclosure  timely  made. — ^The  disclosure  oc- 
curs during  a  period  described  in  subsection  (c)(2). 

(b)  Statement  of  Intended  Uses  and  Disclosures. — 

(1)  In  general. — ^A  person  who  wishes  to  receive 
from  a  health  information  trustee  protected  health  in- 
formation about  a  protected  individual  pursuant  to  an 
authorization  executed  by  the  individual  shall  supply 
the  individual,  in  writing  and  on  a  form  that  is  dis- 
tinct from  the  authorization,  with  a  statement  of  the 
uses  for  which  the  person  intends  the  information  and 
the  disclosures  the  person  intends  to  make  of  the  in- 
formation. Such  statement  shall  be  supplied  before  the 
authorization  is  executed. 

(2)  Enforcement. — ^If  the  person  uses  or  discloses 
the  information  in  a  manner  that  is  inconsistent  with 
such  statement,  the  person  shall  be  subject  to  section 
5171  (relating  to  civil  actions)  with  respect  to  such 
failure,  except  where  such  use  or  disclosure  is  required 
by  law. 

(3)  Model  statements. — ^Not  later  than  July  1, 
1996,  the  Secretary,  afler  notice  and  opportunity  for 
public  comment,  shall  develop  and  disseminate  model 
statements  of  intended  uses  and  disclosures  of  the 
type  described  in  paragraph  (1). 
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(c)  Time  Limitations  on  Authorizations .— 

(1)  Receipt  by  trustee. — For  purposes  of  sub- 
section (a)(7),  an  authorization  is  timely  received  if  it 
is  received  by  the  trustee  during — 

(A)  the  1-year  period  beginning  on  the  date  that 
the  authorization  is  signed  under  subsection 
(a)(1),  if  the  authorization  permits  the  disclosure 
of  protected  health  information  to — 

(i)  a  health  benefit  plan  sponsor; 

(ii)  a  health  care  provider; 

(iii)  a  health  oversight  agency; 

(iv)  a  public  health  authority; 

(v)  a  health  researcher;  or 

(vi)  a  person  who  provides  counseling  or  so- 
cial services  to  individuals;  or 

(B)  the  30-day  period  beginning  on  the  date  that 
the  authorization  is  signed  under  subsection 
(a)(1),  if  the  authorization  permits  the  disclosure 
of  protected  health  information  to  a  person  other 
than  a  person  described  in  subparagraph  (A). 

(2)  Disclosure  by  trustee. — For  purposes  of  sub- 
section (a)(8),  a  disclosure  is  timely  made  if  it  occurs 
before — 

(A)  the  date  or  event  (if  any)  specified  in  the  au- 
thorization upon  which  the  authorization  expires; 
and 

(B)  the  expiration  of  the  6-month  period  begin- 
ning on  the  date  the  trustee  receives  the  author- 
ization. 

(d)  Revocation  or  Amendment  of  Authorization.— 

(1)  In  general. — A  protected  individual  in  writing 
may  revoke  or  amend  an  authorization  described  in 
subsection  (a),  in  whole  or  in  part,  at  any  time,  except 
insofar  as — 

(A)  disclosure  of  protected  health  information 
has  been  authorized  to  permit  validation  of  ex- 
penditures based  on  health  condition  by  a  govern- 
ment authority;  or 

(B)  action  has  been  taken  in  reliance  on  the  au- 
thorization. 

(2)  Notice  of  revocation.— A  health  information 
trustee  who  discloses  protected  health  information  in 
reliance  on  an  authorization  that  has  been  revoked 
shall  not  be  subject  to  any  liability  or  penalty  under 
this  part  if — 

(A)  the  reliance  was  in  good  faith; 

(B)  the  trustee  had  no  notice  of  the  revocation; 
and 

(C)  the  disclosure  was  otherwise  in  accordance 
with  the  requirements  of  this  section. 

(e)  Additional  Requirements  of  Trustee.— A  health 
information  trustee  may  impose  requirements  for  an  au- 
thorization that  are  in  addition  to  the  requirements  in  this 
section. 
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(f)  Copy.— A  health  information  trustee  who  discloses 
protected  health  information  pursuant  to  an  authorization 
under  this  section  shall  maintain  a  copy  of  the  authoriza- 
tion. 

(g)  Construction. — ^This  section  may  not  be  construed — 

(1)  to  require  a  health  information  trustee  to  dis- 
close protected  health  information;  or 

(2)  to  limit  the  right  of  a  health  information  trustee 
to  charge  a  fee  for  the  disclosure  or  reproduction  of 
protected  health  information. 

(h)  Subpoenas,  Warrants,  and  Search  Warrants. — If 
a  health  information  trustee  discloses  protected  health  in- 
formation pursuant  to  an  authorization  in  order  to  comply 
with  an  administrative  subpoena  or  warrant  or  a  judicial 
subpoena  or  search  warrant,  the  authorization — 

(1)  shall  specifically  authorize  the  disclosure  for  the 
purpose  of  permitting  the  trustee  to  comply  with  the 
subpoena,  warrant,  or  search  warrant;  and 

(2)  shall  otherwise  meet  the  requirements  in  this 
section. 

SEC.  5133.  TREATMENT,  PAYMENT,  AND  OVERSIGHT. 

(a)  Disclosures  by  Plans,  Providers,  and  Oversight 
Agencies. — ^A  health  information  trustee  described  in  sub- 
section (d)  may  disclose  protected  health  information  to  a 
health  benefit  plan  sponsor,  health  care  provider,  or  health 
oversight  agency  if  the  disclosure  is — 

(1)  for  the  purpose  of  providing  health  care  and  a 
protected  individual  who  is  a  subject  of  the  informa- 
tion has  not  previously  objected  to  the  disclosure  in 
writing; 

(2)  for  the  purpose  of  providing  for  the  pa3anent  for 
health  care  furnished  to  an  individual;  or 

(3)  for  use  by  a  health  oversight  agency  for  a  pur- 
pose that  is  described  in  subparagraph  (A)  or  (B)(i)  of 
section  5120(b)(7). 

(b)  Disclosures  by  Certain  Other  Trustees.— A 
health  information  trustee  may  disclose  protected  health 
information  to  a  health  care  provider  if — 

(1)  the  disclosure  is  for  the  purpose  described  in  sub- 
section (a)(1);  and 

(2)  the  trustee — 

(A)  is  a  public  health  authority; 

(B)  received  protected  health  information  pursu- 
ant to  section  5137  (relating  to  emergency  cir- 
cumstances); or 

(C)  is  an  officer  or  employee  of  a  trustee  de- 
scribed in  subsection  (B). 

(c)  Use  in  Action  Against  Individual.— A  person  who 
receives  protected  health  information  about  a  protected  in- 
dividual through  a  disclosure  under  this  section  may  not 
use  or  disclose  the  information  in  any  administrative,  civil, 
or  criminal  action  or  investigation  directed  against  the  in- 
dividual, except  an  action  or  investigation  arising  out  of 
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and  related  to  receipt  of  health  care  or  payment  for  health 
care. 

(d)  Applicability. — health  information  trustee  re- 
ferred to  in  subsection  (a)  is  any  of  the  following: 

(1)  A  health  benefit  plan  sponsor. 

(2)  A  health  care  provider. 

(3)  A  health  oversight  agency. 

(4)  A  health  information  service  organization. 

SEC.  5134.  NEXT  OF  KIN  AND  DIRECTORY  INFORMATION. 

(a)  Next  of  Kin. — A  health  information  trustee  who  is 
a  health  care  provider,  who  received  protected  health  in- 
formation pursuant  to  section  5137  (relating  to  emergency 
circumstances),  or  who  is  an  officer  or  employee  of  such  a 
recipient  may  orally  disclose  protected  health  information 
about  a  protected  individual  to  the  next  of  kin  of  the  indi- 
vidual (as  defined  under  State  law),  or  to  a  person  with 
whom  the  individual  has  a  close  personal  relationship,  if — 

(1)  the  trustee  has  no  reason  to  believe  that  the  in- 
dividual would  consider  the  information  especially  sen- 
sitive; 

(2)  the  individual  has  not  previously  objected  to  the 
disclosure; 

(3)  the  disclosure  is  consistent  with  good  medical  or 
other  professional  practice;  and 

(4)  the  information  disclosed  is  limited  to  informa- 
tion about  health  care  that  is  being  provided  to  the  in- 
dividual at  or  about  the  time  of  the  disclosure. 

(b)  Directory  Information.— 

(1)  In  GENERAL. — ^A  health  information  trustee  who 
is  a  health  care  provider,  who  received  protected 
health  information  pursuant  to  section  5137  (relating 
to  emergency  circumstances),  or  who  is  an  officer  or 
employee  of  such  a  recipient  may  disclose  to  any  per- 
son the  information  described  in  paragraph  (2)  if— 

(A)  a  protected  individual  who  is  a  subject  of  the 
information  has  not  objected  in  writing  to  the  dis- 
closure; 

(B)  the  disclosure  is  otherwise  consistent  with 
good  medical  and  other  professional  practice;  and 

(C)  the  information  does  not  reveal  specific  in- 
formation about  the  physical  or  mental  condition 
or  functional  status  of  a  protected  individual  or 
about  the  health  care  provided  to  a  protected  indi- 
vidual. 

(2)  Information  described.— The  information  re- 
ferred to  in  paragraph  (1)  is  the  following: 

(A)  The  name  of  an  individual  receiving  health 
care  from  a  health  care  provider  on  a  premises 
controlled  by  the  provider. 

(B)  The  location  of  the  individual  on  such  prem- 
ises. 

(C)  The  general  health  status  of  the  individual, 
described  in  terms  of  critical,  poor,  fair,  stable, 
satisfactory,  or  terms  denoting  similar  conditions. 
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(c)  No  Accounting  Required. — health  information 
trustee  who  discloses  protected  health  information  under 
this  section  is  not  required  to  maintain  an  accounting  of 
the  disclosure  under  section  5124. 

(d)  Recipients. — person  to  whom  protected  health  in- 
formation is  disclosed  under  this  section  shall  not,  by  rea- 
son of  such  disclosure,  be  subject  to  any  requirement 
under  this  part. 

SEC.  5135.  PUBLIC  HEALTH. 

(a)  In  General. — A  health  information  trustee  who  is  a 
health  care  provider  or  a  public  health  authority  may  dis- 
close protected  health  information  to — 

(1)  a  public  health  authority  for  use  in  legally  au- 
thorized— 

(A)  disease  or  injury  reporting; 

(B)  public  health  surveillance;  or 

(C)  public  health  investigation  or  intervention; 

or 

(2)  an  individual  who  is  authorized  by  law  to  receive 
the  information  in  a  public  health  intervention. 

(b)  Use  in  Action  Against  Individual.— A  public 
health  authority  who  receives  protected  health  information 
about  a  protected  individual  through  a  disclosure  under 
this  section  may  not  use  or  disclose  the  information  in  any 
administrative,  civil,  or  criminal  action  or  investigation  di- 
rected against  the  individual,  except  where  the  use  or  dis- 
closure is  authorized  by  law  for  protection  of  the  public 
health. 

(c)  Individual  Recipients. — ^An  individual  to  whom  pro- 
tected health  information  is  disclosed  under  subsection 
(a)(2)  shall  not,  by  reason  of  such  disclosure,  be  subject  to 
any  requirement  under  this  part. 

SEC.  5136.  HEALTH  RESEARCH. 

(a)  In  General. — ^A  health  information  trustee  described 
in  subsection  (d)  may  disclose  protected  health  information 
to  a  person  if — 

(1)  the  person  is  conducting  an  approved  health  re- 
search project; 

(2)  the  information  is  to  be  used  in  the  project;  and 

(3)  the  project  has  been  determined  by  a  certified  in- 
stitutional review  board  to  be — 

(A)  of  sufficient  importance  so  as  to  outweigh 
the  intrusion  into  the  privacy  of  the  protected  in- 
dividual who  is  the  subject  of  the  information  that 
would  result  from  the  disclosure;  and 

(B)  impracticable  to  conduct  without  the  infor- 
mation. 

(b)  Disclosures  by  Health  Information  Service  Or- 
ganizations.— ^A  health  information  service  organization 
may  disclose  protected  health  information  under  sub- 
section (a)  only  if  the  certified  institutional  review  board 
referred  to  in  subsection  (a)(3)  has  been  certified  as  being 
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qualified  to  make  determinations  under  such  subsection 
with  respect  to  disclosures  by  such  organizations. 

(c)  Limitations  on  Use  and  Disclosure;  Obligations 
OF  Recipient. — health  researcher  who  receives  protected 
health  information  about  a  protected  individual  pursuant 
to  subsection  (a) — 

(1)  may  use  the  information  solely  for  purposes  of  £in 
approved  health  research  project; 

(2)  may  not  use  or  disclose  the  information  in  any 
administrative,  civil,  or  criminal  action  or  investiga- 
tion directed  against  the  individual;  and 

(3)  shall  remove  or  destroy,  at  the  earliest  oppor- 
tunity consistent  with  the  purposes  of  the  approved 
health  research  project  in  connection  with  which  the 
disclosure  was  made,  information  that  would  enable 
an  individual  to  be  identified,  unless  a  certified  insti- 
tutional review  board  has  determined  that  there  is  a 
health  or  research  justification  for  retention  of  such 
identifiers  and  there  is  an  adequate  plan  to  protect  the 
identifiers  from  use  and  disclosure  that  is  inconsistent 
with  this  part. 

(d)  Applicability. — health  information  trustee  re- 
ferred to  in  subsection  (a)  is  any  health  information  trust- 
ee other  than  a  person  who,  with  respect  to  the  specific 
protected  health  information  to  be  disclosed  under  such 
subsection,  received  the  information — 

(1)  pursuant  to — 

(A)  section  5138  (relating  to  judicial  and  admin- 
istrative purposes); 

(B)  paragraph  (1),  (2),  or  (3)  of  section  5139(a) 
(relating  to  law  enforcement);  or 

(C)  section  5140  (relating  to  subpoenas,  war- 
rants, and  search  warrants);  or 

(2)  while  acting  in  whole  or  in  part  in  the  capacity 
of  an  officer  or  employee  of  a  person  described  in  para- 
graph (1). 

(e)  Requirements  for  Institutional  Review 
Boards. — 

(1)  Regulations.— Not  later  than  July  1,  1996,  the 
Secretary,  after  opportunity  for  notice  and  comment, 
shall  promulgate  regulations  establishing  require- 
ments for  certified  institutional  review  boards  under 
this  part.  The  regulations  shall  be  based  on  regula- 
tions promulgated  under  section  491(a)  of  the  Public 
Health  Service  Act  and  shall  ensure  that  certified  in- 
stitutional review  boards  are  qualified  to  assess  and 
protect  the  confidentiality  of  research  subjects.  The 
regulations  shall  include  specific  requirements  for  cer- 
tified institutional  review  boards  that  make  deter- 
minations under  subsection  (a)(3)  with  respect  to  dis- 
closures by  health  information  service  organizations. 

(2)  Certification.— The  Secretary  shall  certify  that 
an  institutional  review  board  satisfies  the  require- 
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ments  of  the  regulations  promulgated  under  para- 
graph (1). 

SEC.  5137.  EMERGENCY  CIRCUMSTANCES. 

(a)  In  General. — health  information  trustee  may  dis- 
close protected  health  information  if  the  trustee  believes, 
on  reasonable  grounds,  that  the  disclosure  is  necessary  to 
prevent  or  lessen  a  serious  and  imminent  threat  to  the 
health  or  safety  of  an  individual. 

(b)  Use  in  Action  Against  Individual.— A  person  who 
receives  protected  health  information  about  a  protected  in- 
dividual through  a  disclosure  under  this  section  may  not 
use  or  disclose  the  information  in  any  administrative,  civil, 
or  criminal  action  or  investigation  directed  against  the  in- 
dividual, except  an  action  or  investigation  arising  out  of 
and  related  to  receipt  of  health  care  or  pa5anent  for  health 
care. 

SEC.  5138.  JUDICIAL  AND  ADMINISTRATIVE  PURPOSES. 

(a)  In  General. — A  health  information  trustee  described 
in  subsection  (d)  may  disclose  protected  health  informa- 
tion— 

(1)  pursuant  to  the  Federal  Rules  of  Civil  Procedure, 
the  Federal  Rules  of  Criminal  Procedure,  or  com- 
parable rules  of  other  courts  or  administrative  agen- 
cies in  connection  with  litigation  or  proceedings  to 
which  a  protected  individual  who  is  a  subject  of  the  in- 
formation is  a  party  and  in  which  the  individual  has 
placed  the  individual's  physical  or  mental  condition  or 
functional  status  in  issue; 

(2)  if  directed  by  a  court  in  connection  with  a  court- 
ordered  examination  of  an  individual;  or 

(3)  to  assist  in  the  identification  of  a  dead  individ- 
ual. 

(b)  Written  Statement. — A  person  seeking  protected 
health  information  about  a  protected  individual  held  by 
health  information  trustee  under — 

(1)  subsection  (a)(1) — 

(A)  shall  notify  the  protected  individual  or  the 
attorney  of  the  protected  individual  of  the  request 
for  the  information; 

(B)  shall  provide  the  trustee  with  a  signed  docu- 
ment attesting — 

(i)  that  the  protected  individual  is  a  party 
to  the  litigation  or  proceedings  for  which  the 
information  is  sought; 

(ii)  that  the  individual  has  placed  the  indi- 
vidual's physical  or  mental  condition  or  func- 
tional status  in  issue;  and 

(iii)  the  date  on  which  the  protected  individ- 
ual or  the  attorney  of  the  protected  individual 
was  notified  under  subparagraph  (A);  and 

(C)  shall  not  accept  any  requested  protected 
health  information  from  the  trustee  until  the  ter- 
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mination  of  the  10-day  period  beginning  on  the 
date  notice  was  given  under  subparagraph  (A);  or 
(2)  subsection  (a)(3)  shall  provide  the  trustee  with  a 
written  statement  that  the  information  is  sought  to  as- 
sist in  the  identification  of  a  dead  individual. 

(c)  Use  and  Disclosure. — person  to  whom  protected 
health  information  is  disclosed  under  this  section  may  use 
and  disclose  the  information  only  to  accomplish  the  pur- 
pose for  which  the  disclosure  was  made. 

(d)  Applicability.— A  health  information  trustee  re- 
ferred to  in  subsection  (a)  is  any  of  the  following: 

(1)  A  health  benefit  plan  sponsor. 

(2)  A  health  care  provider. 

(3)  A  health  oversight  agency. 

(4)  A  person  who,  with  respect  to  the  specific  pro- 
tected health  information  to  be  disclosed  under  such 
subsection,  received  the  information — 

(A)  pursuant  to — 

(i)  section  5137  (relating  to  emergency  cir- 
cumstances); or 

(ii)  section  5140  (relating  to  subpoenas, 
warrants,  and  search  warrants);  or 

(B)  while  acting  in  whole  or  in  part  in  the  ca- 
pacity of  an  officer  or  employee  of  a  person  de- 
scribed in  subparagraph  (A). 

SEC.  5139.  LAW  ENFORCEMENT. 

(a)  In  General. — ^A  health  information  trustee,  other 
than  a  health  information  service  organization,  may  dis- 
close protected  health  information  to  a  law  enforcement 
agency,  other  than  a  health  oversight  agency — 

(1)  if  the  information  is  disclosed  for  use  in  an  inves- 
tigation or  prosecution  of  a  health  information  trustee; 

(2)  in  connection  with  criminal  activity  committed 
against  the  trustee  or  an  affiliated  person  of  the  trust- 
ee or  on  premises  controlled  by  the  trustee;  or 

(3)  if  the  information  is  needed  to  determine  wheth- 
er a  crime  has  been  committed  and  the  nature  of  any 
crime  that  may  have  been  committed  (other  than  a 
crime  that  may  have  been  committed  by  the  protected 
individual  who  is  the  subject  of  the  information). 

(b)  Additional  Authority  of  Certain  Trustees.— A 
health  information  trustee  who  is  not  a  health  information 
service  organization,  a  public  health  authority,  or  a  health 
researcher  may  disclose  protected  health  information  to  a 
law  enforcement  agency  (other  than  a  health  oversight 
agency)— 

(1)  to  assist  in  the  identification  or  location  of  a  vic- 
tim, fugitive,  or  witness  in  a  law  enforcement  inquiry; 

(2)  pursuant  to  a  law  requiring  the  reporting  of  spe- 
cific health  care  information  to  law  enforcement  au- 
thorities; or 

(3)  if  the  information  is  specific  health  information 
described  in  paragraph  (2)  and  the  trustee  is  operated 
by  a  Federal  agency; 
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(c)  Certification. — ^Where  a  law  enforcement  agency  re- 
quests a  health  information  trustee  to  disclose  protected 
health  information  under  subsection  (a)  or  (b)(1),  the  agen- 
cy shall  provide  the  trustee  with  a  written  certification 
that— 

(1)  is  signed  by  a  supervisory  official  of  a  rank  des- 
ignated by  the  head  of  the  agency; 

(2)  specifies  the  information  requested;  and 

(3)  states  that  the  information  is  needed  for  a  lawful 
purpose  under  this  section. 

(d)  Restrictions  on  Disclosure  and  Use.— A  person 
who  receives  protected  health  information  about  a  pro- 
tected individual  through  a  disclosure  under  this  section 
may  not  use  or  disclose  the  information — 

(1)  in  any  administrative,  civil,  or  criminal  action  or 
investigation  directed  against  the  individual,  except  an 
action  or  investigation  arising  out  of  and  directly  re- 
lated to  the  action  or  investigation  for  which  the  infor- 
mation was  obtained;  and 

(2)  otherwise  unless  the  use  or  disclosure  is  nec- 
essary to  fulfill  the  purpose  for  which  the  information 
was  obtained  amd  is  not  prohibited  by  any  other  provi- 
sion of  law. 

SEC.  5140.  SUBPOENAS,  WARRANTS,  AND  SEARCH  WARRANTS. 

(a)  In  General. — health  information  trustee  described 
in  subsection  (g)  may  disclose  protected  health  information 
if  the  disclosure  is  pursuant  to  any  of  the  following: 

(1)  A  subpoena  issued  under  the  authority  of  a 
grand  jury  and  the  trustee  is  provided  a  written  cer- 
tification by  the  grand  jury  that  the  grand  jury  has 
complied  with  the  applicable  access  provisions  of  sec- 
tion 5151. 

(2)  An  administrative  subpoena  or  warrant  or  a  judi- 
cial subpoena  or  search  warrant  and  the  trustee  is 
provided  a  written  certification  by  the  person  seeking 
the  information  that  the  person  has  complied  with  the 
applicable  access  provisions  of  section  5151  or  5153(a). 

(3)  An  administrative  subpoena  or  warrant  or  a  judi- 
cial subpoena  or  search  warrant  and  the  disclosure 
otherwise  meets  the  conditions  of  one  of  sections  5133 
through  5139. 

(b)  Authority  of  All  Trustees.— Any  health  informa- 
tion trustee  may  disclose  protected  health  information  if 
the  disclosure  is  pursuant  to  subsection  (a)(3). 

(c)  Restrictions  on  Use  and  Disclosure.— Protected 
health  information  about  a  protected  individual  that  is  dis- 
closed by  a  health  information  trustee  pursuant  to — 

(1)  subsection  (a)(2)  may  not  be  otherwise  used  or 
disclosed  by  the  recipient  unless  the  use  or  disclosure 
is  necessary  to  fulfill  the  purpose  for  which  the  infor- 
mation was  obtained;  and 

(2)  subsection  (a)(3)  may  not  be  used  or  disclosed  by 
the  recipient  unless  the  recipient  complies  with  the 
conditions  and  restrictions  on  use  and  disclosure  with 
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which  the  recipient  would  have  been  required  to  com- 
ply if  the  disclosure  by  the  trustee  had  been  made 
under  the  section  referred  to  in  subsection  (a)(3)  the 
conditions  of  which  were  met  by  the  disclosure. 

(d)  Restrictions  on  Grand  Juries. — ^Protected  health 
information  that  is  disclosed  by  a  health  information  trust- 
ee under  subsection  (a)(1) — 

(1)  shall  be  returnable  on  a  date  when  the  grand 
jury  is  in  session  and  actually  presented  to  the  grand 
jury; 

(2)  shall  be  used  only  for  the  purpose  of  considering 
whether  to  issue  an  indictment  or  report  by  that  grand 
jury,  or  for  the  purpose  of  prosecuting  a  crime  for 
which  that  indictment  or  report  is  issued,  or  for  a  pur- 
pose authorized  by  rule  6(e)  of  the  Federal  Rules  of 
Criminal  Procedure  or  a  comparable  State  rule; 

(3)  shall  be  destroyed  or  returned  to  the  trustee  if 
not  used  for  one  of  the  purposes  specified  in  paragraph 
(2);  and 

(4)  shall  not  be  maintained,  or  a  description  of  the 
contents  of  such  information  shall  not  be  maintained, 
by  any  government  authority  other  than  in  the  sealed 
records  of  the  grand  jury,  unless  such  information  has 
been  used  in  the  prosecution  of  a  crime  for  which  the 
grand  jury  issued  an  indictment  or  presentment  or  for 
a  purpose  authorized  by  rule  6(e)  of  the  Federal  Rules 
of  Criminal  Procedure  or  a  comparable  State  rule. 

(e)  Use  in  Action  Against  Individual.— A  person  who 
receives  protected  health  information  about  a  protected  in- 
dividual through  a  disclosure  under  this  section  may  not 
use  or  disclose  the  information  in  any  administrative,  civil, 
or  criminal  action  or  investigation  directed  against  the  in- 
dividual, except  an  action  or  investigation  arising  out  of 
and  directly  related  to  the  inquiry  for  which  the  informa- 
tion was  obtained; 

(f)  Construction. — ^Nothing  in  this  section  shall  be  con- 
strued as  authority  for  a  health  information  trustee  to 
refuse  to  comply  with  a  valid  administrative  subpoena  or 
warrant  or  a  valid  judicial  subpoena  or  search  warrant 
that  meets  the  requirements  of  this  part. 

(g)  Applicability. — A  health  information  trustee  re- 
ferred to  in  subsection  (a)  is  any  trustee  other  than  the  fol- 
lowing: 

(1)  A  health  information  service  organization. 

(2)  A  public  health  authority. 

(3)  A  health  researcher. 

SEC.  5141.  HEALTH  INFORMATION  SERVICE  ORGANIZATIONS. 

A  health  information  trustee  may  disclose  protected 
health  information  to  a  health  information  service  orgaini- 
zation  for  the  purpose  of  permitting  the  organization  to 
perform  a  function  for  which  the  Secretary  has  authorized 
(by  means  of  a  designation  or  certification)  the  organiza- 
tion to  receive  access  to  health  care  data  in  electronic  or 
magnetic  form  that  are  regulated  by  this  Act . 
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Subpart  C — ^Access  Procedures  and 
Challenge  Rights 

SEC.  5151.  ACCESS  PROCEDURES  FOR  LAW  ENFORCEMENT 
SUBPOENAS,  WARRANTS,  AND  SEARCH  WAR- 
RANTS. 

(a)  Probable  Cause  Requirement.— A  government  au- 
thority may  not  obtain  protected  health  information  about 
a  protected  individual  from  a  health  information  trustee 
under  paragraph  (1)  or  (2)  of  section  5140(a)  for  use  in  a 
law  enforcement  inquiry  unless  there  is  probable  cause  to 
believe  that  the  information  is  relevant  to  a  legitimate  law 
enforcement  inquiry  being  conducted  by  the  government 
authority. 

(b)  WARRANTS  AND  SEARCH  WARRANTS.— A  government 
authority  that  obtains  protected  health  information  about 
a  protected  individual  from  a  health  information  trustee 
under  circumstances  described  in  subsection  (a)  and  pursu- 
ant to  a  warrant  or  search  warrant  shall,  not  later  than 
30  days  after  the  date  the  warrant  was  served  on  the 
trustee,  serve  the  individual  with,  or  mail  to  the  last 
known  address  of  the  individual,  a  copy  of  the  warrant. 

(c)  Subpoenas. — ^Except  as  provided  in  subsection  (d),  a 
government  authority  may  not  obtain  protected  health  in- 
formation about  a  protected  individual  from  a  health  infor- 
mation trustee  under  circumstances  described  in  sub- 
section (a)  and  pursuant  to  a  subpoena  unless  a  copy  of  the 
subpoena  has  been  served  by  hand  delivery  upon  the  indi- 
vidual, or  mailed  to  the  last  known  address  of  the  individ- 
ual, on  or  before  the  date  on  which  the  subpoena  was 
served  on  the  trustee,  together  with  a  notice  (published  by 
the  Secretary  under  section  5155(1))  of  the  individual's 
right  to  challenge  the  subpoena  in  accordance  with  section 
5152,  and— 

(1)  30  days  have  passed  from  the  date  of  service,  or 
30  days  have  passed  from  the  date  of  mailing,  and 
within  such  time  period  the  individual  has  not  initi- 
ated a  challenge  in  accordance  with  section  5152;  or 

(2)  disclosure  is  ordered  by  a  court  under  section 
5152. 

(d)  Application  for  Delay.— 

(1)  In  general. — ^A  government  authority  may  apply 
to  an  appropriate  court  to  delay  (for  an  initial  period 
of  not  longer  than  90  days)  serving  a  copy  of  a  sub- 
poena and  a  notice  otherwise  required  under  sub- 
section (c)  with  respect  to  a  law  enforcement  inquiry. 
The  government  authority  may  apply  to  the  court  for 
extensions  of  the  delay. 

(2)  Reasons  for  delay.— An  application  for  a  delay, 
or  extension  of  a  delay,  under  this  subsection  shsdl 
state,  with  reasonable  specificity,  the  reasons  why  the 
delay  or  extension  is  being  sought. 

(3)  Ex  parte  order.— The  court  shall  enter  an  ex 
parte  order  delajdng,  or  extending  the  delay  of,  the  no- 
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tice  and  an  order  prohibiting  the  trustee  from  reveal- 
ing the  request  for,  or  the  disclosure  of,  the  protected 
health  information  being  sought  if  the  court  finds 
that— 

(A)  the  inquiry  being  conducted  is  within  the 
lawful  jurisdiction  of  the  government  authority 
seeking  the  protected  hesilth  information; 

(B)  there  is  probable  cause  to  believe  that  the 
protected  health  information  being  sought  is  rel- 
evant to  a  legitimate  law  enforcement  inquiry 
being  conducted  by  the  government  authority; 

(C)  the  government  authority's  need  for  the  in- 
formation outweighs  the  privacy  interest  of  the 
protected  individual  who  is  the  subject  of  the  in- 
formation; and 

(D)  there  are  reasonable  grounds  to  believe  that 
receipt  of  a  notice  by  the  individual  will  result 
in — 

(i)  endangering  the  life  or  physical  safety  of 
any  individual; 

(ii)  flight  from  prosecution; 

(iii)  destruction  of  or  tampering  with  evi- 
dence or  the  information  being  sought;  or 

(iv)  intimidation  of  potential  witnesses. 

(4)  Service  of  application  on  individual. — Upon 
the  expiration  of  a  period  of  delay  of  notice  under  this 
subsection,  the  government  authority  shall  serve  upon 
the  individual,  with  the  service  of  the  subpoena  and 
the  notice,  a  copy  of  any  applications  filed  and  ap- 
proved under  this  subsection. 

SEC.  5152.  CHALLENGE  PROCEDURES  FOR  LAW  ENFORCE- 
MENT SUBPOENAS. 

(a)  Motion  to  Quash  Subpoena.— Within  30  days  of  the 
date  of  service,  or  30  days  of  the  date  of  mailing,  of  a  sub- 
poena of  a  government  authority  seeking  protected  health 
information  about  a  protected  individual  from  a  health  in- 
formation trustee  under  paragraph  (1)  or  (2)  of  section 
5140(a)  (except  a  subpoena  to  which  section  5153  applies), 
the  individual  may  file  (without  filing  fee)  a  motion  to 
quash  the  subpoena — 

(1)  in  the  case  of  a  State  judicial  subpoena,  in  the 
court  which  issued  the  subpoena; 

(2)  in  the  case  of  a  subpoena  issued  under  the  au- 
thority of  a  State  that  is  not  a  State  judicial  subpoena, 
in  a  court  of  competent  jurisdiction; 

(3)  in  the  case  of  a  subpoena  issued  under  the  au- 
thority of  a  Federal  court,  in  any  court  of  the  United 
States  of  competent  jurisdiction;  or 

(4)  in  the  case  of  any  other  subpoena  issued  under 
the  authority  of  the  United  States,  in — 

(A)  the  United  States  district  court  for  the  dis- 
trict in  which  the  individual  resides  or  in  which 
the  subpoena  was  issued;  or 
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(B)  another  United  States  district  court  of  com- 
petent jurisdiction. 

(b)  Copy. — copy  of  the  motion  shall  be  served  by  the 
individual  upon  the  government  authority  by  delivery  of 
registered  or  certified  mail. 

(c)  Affidavits  and  Sworn  Documents. — ^The  govern- 
ment authority  may  file  with  the  court  such  affidavits  and 
other  sworn  documents  as  sustain  the  validity  of  the  sub- 
poena. The  individual  may  file  with  the  court,  within  5 
days  of  the  date  of  the  authority's  filing,  affidavits  and 
sworn  documents  in  response  to  the  authority's  filing.  The 
court,  upon  the  request  of  the  individual,  the  government 
authority,  or  both,  may  proceed  in  camera. 

(d)  Proceedings  and  Decision  on  Motion. — The  court 
may  conduct  such  proceedings  as  it  deems  appropriate  to 
rule  on  the  motion.  All  such  proceedings  shall  be  com- 
pleted, and  the  motion  ruled  on,  within  10  calendar  days 
of  the  date  of  the  government  authority's  filing. 

(e)  Extension  of  Time  Limits  for  Good  Cause. — ^The 
court,  for  good  cause  shown,  may  at  any  time  in  its  discre- 
tion enlarge  the  time  limits  established  by  subsections  (c) 
and  (d). 

(D  Standard  for  Decision.— A  court  may  deny  a  mo- 
tion under  subsection  (a)  if  it  finds  that  there  is  probable 
cause  to  believe  that  the  protected  health  information 
being  sought  is  relevant  to  a  legitimate  law  enforcement 
inquiry  being  conducted  by  the  government  authority,  un- 
less the  court  finds  that  the  individual's  privacy  interest 
outweighs  the  government  authorit/s  need  for  the  infor- 
mation. The  individual  shall  have  the  burden  of  dem- 
onstrating that  the  individual's  privacy  interest  outweighs 
the  need  established  by  the  government  authority  for  the 
information. 

(g)  Specific  Considerations  With  Respect  to  Privacy 
Interest. — In  determining  under  subsection  (f)  whether 
an  individual's  privacy  interest  outweighs  the  government 
authoritys  need  for  the  information,  the  court  shall  con- 
sider— 

(1)  the  particular  purpose  for  which  the  information 
was  collected  by  the  trustee; 

(2)  the  degree  to  which  disclosure  of  the  information 
will  embarrass,  injure,  or  invade  the  privacy  of  the  in- 
dividual; 

(3)  the  effect  of  the  disclosure  on  the  individual's  fu- 
ture health  care; 

(4)  the  importance  of  the  inquiry  being  conducted  by 
the  government  authority,  and  the  importance  of  the 
information  to  that  inquiry;  and 

(5)  any  other  factor  deemed  relevant  by  the  court. 

(h)  Attorney's  Fees. — In  the  case  of  any  motion 
brought  under  subsection  (a)  in  which  the  individual  has 
substantially  prevailed,  the  court,  in  its  discretion,  may  as- 
sess against  a  government  authority  a  reasonable  attor- 
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ney's  fee  and  other  litigation  costs  (including  expert  fees) 
reasonably  incurred. 

(i)  No  Interlocutory  Appeal.— A  court  ruling  denying 
a  motion  to  quash  under  this  section  shall  not  be  deemed 
a  final  order  and  no  interlocutory  appeal  may  be  taken 
therefrom  by  the  individual.  An  appeal  of  such  a  ruling 
may  be  taken  by  the  individual  within  such  period  of  time 
as  is  provided  by  law  as  part  of  any  appeal  from  a  final 
order  in  any  legal  proceeding  initiated  against  the  individ- 
ual arising  out  of  or  based  upon  the  protect  health  infor- 
mation disclosed. 

SEC.  5153.  ACCESS  AND  CHALLENGE  PROCEDURES  FOR 
OTHER  SUBPOENAS. 

(a)  In  General. — A  person  (other  than  a  government 
authority  seeking  protected  health  information  under  cir- 
cumstances described  in  section  5151(a))  may  not  obtain 
protected  health  information  about  a  protected  individual 
from  a  health  information  trustee  pursuant  to  a  subpoena 
under  section  5140(a)(2)  unless — 

(1)  a  copy  of  the  subpoena  has  been  served  upon  the 
individual  or  mailed  to  the  last  known  address  of  the 
individual  on  or  before  the  date  on  which  the  sub- 
poena was  served  on  the  trustee,  together  with  a  no- 
tice (published  by  the  Secretary  under  section  5155(2)) 
of  the  individual's  right  to  challenge  the  subpoena,  in 
accordance  with  subsection  (b);  and 

(2)  either— 

(A)  30  days  have  passed  from  the  date  of  service 
or  30  days  have  passed  from  the  date  of  the  mail- 
ing and  within  such  time  period  the  individual 
has  not  initiated  a  challenge  in  accordance  with 
subsection  (b);  or 

(B)  disclosure  is  ordered  by  a  court  under  such 
subsection. 

(b)  Motion  to  Quash.— Within  30  days  of  the  date  of 
service  or  30  days  of  the  date  of  mailing  of  a  subpoena 
seeking  protected  health  information  about  a  protected  in- 
dividual from  a  health  information  trustee  under  sub- 
section (a),  the  individual  may  file  (without  filing  fee)  in 
any  court  of  competent  jurisdiction,  a  motion  to  quash  the 
subpoena,  with  a  copy  served  on  the  person  seeking  the  in- 
formation. The  individual  may  oppose,  or  seek  to  limit,  the 
subpoena  on  any  grounds  that  would  otherwise  be  avail- 
able if  the  individual  were  in  possession  of  the  informa- 
tion. 

(c)  Standard  for  Decision.— The  court  shall  grant  an 
individuaFs  motion  under  subsection  (b)  if  the  person  seek- 
ing the  information  has  not  sustained  the  burden  of  dem- 
onstrating that — 

(1)  there  are  reasonable  grounds  to  believe  that  the 
information  will  be  relevant  to  a  lawsuit  or  other  judi- 
cial or  administrative  proceeding;  and 

(2)  the  need  of  the  person  for  the  information  out- 
weighs the  privacy  interest  of  the  individual. 
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(d)  Specific  Considerations  With  Respect  to  Privacy 
Interest. — In  determining  under  subsection  (c)  whether 
the  need  of  the  person  for  the  information  outweighs  the 
privacy  interest  of  the  individual,  the  court  shall  con- 
sider— 

(1)  the  particular  purpose  for  which  the  information 
was  collected  by  the  trustee; 

(2)  the  degree  to  which  disclosure  of  the  information 
will  embarrass,  injure,  or  invade  the  privacy  of  the  in- 
dividual; 

(3)  the  effect  of  the  disclosure  on  the  individual's  fu- 
ture health  care; 

(4)  the  importance  of  the  information  to  the  lawsuit 
or  proceeding;  and 

(5)  any  other  factor  deemed  relevant  by  the  court. 

(e)  Attorney's  Fees. — In  the  case  of  any  motion  brought 
under  subsection  (b)  by  an  individual  against  a  person  in 
which  the  individual  has  substantially  prevailed,  the  court, 
in  its  discretion,  may  assess  against  the  person  a  reason- 
able attorney's  fee  and  other  litigation  costs  (including  ex- 
pert fees)  reasonably  incurred. 

SEC.  5154.  CONSTRUCTION  OF  SUBPART;  SUSPENSION  OF 
STATUTE  OF  LIMITATIONS. 

(a)  In  General. — ^Nothing  in  this  subpart  shall  affect 
the  right  of  a  health  information  trustee  to  challenge  a  re- 
quest for  protected  health  information.  Nothing  in  this 
subpart  shall  entitle  a  protected  individual  to  assert  the 
rights  of  a  health  information  trustee. 

(b)  Effect  of  Motion  on  Statute  of  Limitations. — If 
an  individual  who  is  the  subject  of  protected  health  infor- 
mation files  a  motion  under  this  subpart  which  has  the  ef- 
fect of  delaying  the  access  of  a  government  authority  to 
such  information,  the  period  beginning  on  the  date  such 
motion  was  filed  and  ending  on  the  date  on  which  the  mo- 
tion is  decided  shall  be  excluded  in  computing  any  period 
of  limitations  within  which  the  government  authority  may 
commence  any  civil  or  criminal  action  in  connection  with 
which  the  access  is  sought. 

sec.  5155.  RESPONSroiUTIES  OF  SECRETARY. 

Not  later  than  July  1,  1996,  the  Secretary,  after  notice 
and  opportunity  for  public  comment,  shall  develop  and  dis- 
seminate brief,  clear,  and  easily  understood  model  no- 
tices— 

(1)  for  use  under  subsection  (c)  of  section  5151,  de- 
tailing the  rights  of  a  protected  individual  who  wishes 
to  challenge,  under  section  5152,  the  disclosure  of  pro- 
tected health  information  about  the  individual  under 
such  subsection;  and 

(2)  for  use  under  subsection  (a)  of  section  5153,  de- 
tailing the  rights  of  a  protected  individual  who  wishes 
to  challenge,  under  subsection  (b)  of  such  section,  the 
disclosure  of  protected  health  information  about  the 
individual  under  such  section. 
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Subpart  D — ^Miscellaneous  Provisions 

SEC.  5161.  PAYMENT  CARD  AND  ELECTRONIC  PAYMENT 
TRANSACTIONS. 

(a)  Payment  for  Health  Care  Through  Card  or 
Electronic  Means. — If  a  protected  individual  pays  a 
health  information  trustee  for  health  care  by  presenting  a 
debit,  credit,  or  other  payment  card  or  account  number,  or 
by  any  other  electronic  payment  means,  the  trustee  may 
disclose  to  a  person  described  in  subsection  (b)  only  such 
protected  health  information  about  the  individual  as  is 
necessary  for  the  processing  of  the  payment  transaction  or 
the  billing  or  collection  of  amounts  charged  to,  debited 
from,  or  otherwise  paid  by,  the  individual  using  the  card, 
number,  or  other  electronic  pajrment  means. 

(b)  Transaction  Processing.— A  person  who  is  a  debit, 
credit,  or  other  payment  card  issuer,  is  otherwise  directly 
involved  in  the  processing  of  pajmient  transactions  involv- 
ing such  cards  or  other  electronic  payment  transactions,  or 
is  otherwise  directly  involved  in  the  billing  or  collection  of 
amounts  paid  through  such  means,  may  only  use  or  dis- 
close protected  health  information  about  a  protected  indi- 
vidual that  has  been  disclosed  in  accordance  with  sub- 
section (a)  when  necessary  for — 

(1)  the  authorization,  settlement,  billing  or  collection 
of  amounts  charged  to,  debited  from,  or  otherwise  paid 
by,  the  individual  using  a  debit,  credit,  or  other  pay- 
ment card  or  account  number,  or  by  other  electronic 
pa3anent  means; 

(2)  the  transfer  of  receivables,  accounts,  or  interest 
therein; 

(3)  the  audit  of  the  credit,  debit,  or  other  payment 
card  account  information; 

(4)  compliance  with  Federal,  State,  or  local  law;  or 

(5)  a  properly  authorized  civil,  criminal,  or  regu- 
latory investigation  by  Federal,  State,  or  local  authori- 
ties. 

SEC.  5162.  ACCESS  TO  PROTECTED  HEALTH  INFORMATION 
OUTSIDE  OF  THE  UNITED  STATES. 

(a)  In  General. — ^Notwithstanding  the  provisions  of  sub- 
part B,  and  except  as  provided  in  subsection  (b),  a  health 
information  trustee  may  not  permit  any  person  who  is  not 
in  a  State  to  have  access  to  protected  health  information 
about  a  protected  individual  unless  one  or  more  of  the  fol- 
lowing conditions  exist: 

(1)  Specific  authorization.— The  individual  has 
specifically  consented  to  the  provision  of  such  access 
outside  of  the  United  States  in  an  authorization  that 
meets  the  requirements  of  section  5132. 

(2)  Equivalent  protection. — ^The  provision  of  such 
access  is  authorized  under  this  part  and  the  Secretary 
has  determined  that  there  are  fair  information  prac- 
tices for  protected  health  information  in  the  jurisdic- 
tion where  the  access  will  be  provided  that  provide 
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protections  for  individuals  and  protected  health  infor- 
mation that  are  equivalent  to  the  protections  provided 
for  by  this  part. 

(3)  Access  required  by  law. — The  provision  of 
such  access  is  required  under — 

(A)  a  Federal  statute;  or 

(B)  a  treaty  or  other  international  agreement 
applicable  to  the  United  States. 

(b)  Exceptions. — Subsection  (a)  does  not  apply  where 
the  provision  of  access  to  protected  health  information — 

(1)  is  to  a  foreign  public  health  authority; 

(2)  is  authorized  under  section  5134  (relating  to  next 
of  kin  and  directory  information),  5136  (relating  to 
health  research),  or  5137  (relating  to  emergency  cir- 
cumstances); or 

(3)  is  necessary  for  the  purpose  of  providing  for  pay- 
ment for  health  care  that  has  been  provided  to  an  in- 
dividual. 

SEC.  5163.  STANDARDS  FOR  ELECTRONIC  DOCUMENTS  AND 
COMMUNICATIONS. 

(a)  Standards. — Not  later  than  July  1,  1996,  the  Sec- 
retary, after  notice  and  opportunity  for  public  comment 
and  in  consultation  with  appropriate  private  standard-set- 
ting organizations  and  other  interested  parties,  shall  es- 
tablish standards  with  respect  to  the  creation,  trans- 
mission, receipt,  and  maintenance,  in  electronic  and  mag- 
netic form,  of  each  type  of  written  document  specifically  re- 
quired or  authorized  under  this  part.  Where  a  signature  is 
required  under  any  other  provision  of  this  part,  such 
standards  shall  provide  for  an  electronic  or  magnetic  sub- 
stitute that  serves  the  functional  equivalent  of  a  signature. 

(b)  Treatment  of  Complying  Documents  and  Commu- 
nications.— ^An  electronic  or  magnetic  document  or  com- 
munication that  satisfies  the  standards  established  under 
subsection  (a)  with  respect  to  such  document  or  commu- 
nication shall  be  treated  as  satisfying  the  requirements  of 
this  part  that  apply  to  an  equivalent  written  document. 

SEC.  5164.  DUTIES  AND  AUTHORITIES  OF  AFFILIATED  PER- 
SONS. 

(a)  Requirements  on  Trustees. — 

(1)  Provision  of  information.— A  health  informa- 
tion trustee  may  provide  protected  health  information 
to  a  person  who,  with  respect  to  the  trustee,  is  an  af- 
filiated person  and  may  permit  the  affiliated  person  to 
use  such  information,  only  for  the  purpose  of  conduct- 
ing, supporting,  or  facilitating  an  activity  that  the 
trustee  is  authorized  to  undertake. 

(2)  Notice  to  affiliated  person.— A  health  infor- 
mation trustee  shall  notify  a  person  who,  with  respect 
to  the  trustee,  is  an  affiliated  person  of  any  duties 
under  this  part  that  the  affiliated  person  is  required 
to  fulfill  and  of  any  authorities  under  this  part  that 
the  affiliated  person  is  authorized  to  exercise. 

(b)  Duties  of  Affiliated  Persons. — 
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(1)  In  general. — ^An  affiliated  person  shall  fulfill 
any  duty  under  this  part  that — 

(A)  the  health  information  trustee  with  whom 
the  person  has  an  agreement  or  relationship  de- 
scribed in  section  5120(c)(1)(C)  is  required  to  ful- 
fill; and 

(B)  the  person  has  undertaken  to  fulfill  pursu- 
ant to  such  agreement  or  relationship. 

(2)  Construction  of  other  subparts. — ^With  re- 
spect to  a  duty  described  in  paragraph  (1)  that  an  af- 
filiated person  is  required  to  fulfill,  the  person  shall  be 
considered  a  health  information  trustee  for  purposes  of 
this  part.  The  person  shall  be  subject  to  subpart  E  (re- 
lating to  enforcement)  with  respect  to  any  such  duty 
that  the  person  fails  to  fulfUl. 

(3)  Effect  on  trustee. — ^An  agreement  or  relation- 
ship with  an  adffiliated  person  does  not  relieve  a  health 
information  trustee  of  any  duty  or  liability  under  this 
part. 

(c)  Authorities  of  Affiliated  Persons. — 

(1)  In  general. — ^An  affiliated  person  may  only  ex- 
ercise an  authority  under  this  part  that  the  health  in- 
formation trustee  with  whom  the  person  is  affiliated 
may  exercise  and  that  the  person  has  been  given  by 
the  trustee  pursuant  to  an  agreement  or  relationship 
described  in  section  5120(c)(lXC).  With  respect  to  any 
such  authority,  the  person  shall  be  considered  a  health 
information  trustee  for  purposes  of  this  part.  The  per- 
son shall  be  subject  to  subpart  E  (relating  to  enforce- 
ment) with  respect  to  any  act  that  exceeds  such  au- 
thority. 

(2)  Effect  on  trustee. — ^An  agreement  or  relation- 
ship with  an  affiliated  person  does  not  affect  the  au- 
thority of  a  health  information  trustee  under  this  part. 

SEC.  5165.  AGENTS  AND  ATTORNEYS. 

(a)  In  General. — ^Except  as  provided  in  subsections  (b) 
and  (c),  a  person  who  is  authorized  by  law  (on  grounds 
other  than  an  individual's  minority),  or  by  an  instrument 
recognized  under  law,  to  act  as  an  agent,  attorney,  proxy, 
or  other  legal  representative  for  a  protected  individual  or 
the  estate  of  a  protected  individual,  or  otherwise  to  exer- 
cise the  rights  of  the  individual  or  estate,  may,  to  the  ex- 
tent authorized,  exercise  and  discharge  the  rights  of  the 
individual  or  estate  under  this  part. 

(b)  Health  Care  Power  of  Attorney. — ^A  person  who 
is  authorized  by  law  (on  grounds  other  than  an  individ- 
ual's minority),  or  by  an  instrument  recognized  under  law, 
to  make  decisions  about  the  provision  of  health  care  to  an 
individual  who  is  incapacitated  may  exercise  and  discharge 
the  rights  of  the  individual  under  this  part  to  the  extent 
necessary  to  effectuate  the  terms  or  purposes  of  the  grant 
of  authority. 

(c)  No  Court  Declaration.— If  a  health  care  provider 
determines  that  an  individual,  who  has  not  been  declared 
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to  be  legally  incompetent,  suffers  from  a  medical  condition 
that  prevents  the  individual  from  acting  knowingly  or  ef- 
fectively on  the  individual's  own  behalf,  the  right  of  the  in- 
dividual to  authorize  disclosure  under  section  5132  may  be 
exercised  and  discharged  in  the  best  interest  of  the  indi- 
vidual by — 

(1)  a  person  described  in  subsection  (b)  with  respect 
to  the  individual; 

(2)  a  person  described  in  subsection  (a)  with  respect 
to  the  individual,  but  only  if  a  person  described  in 
paragraph  (1)  cannot  be  contacted  after  a  reasonable 
effort; 

(3)  the  next  of  kin  of  the  individual,  but  only  if  a 
person  described  in  paragraph  (1)  or  (2)  cannot  be  con- 
tacted after  a  reasonable  effort;  or 

(4)  the  health  care  provider,  but  only  if  a  person  de- 
scribed in  paragraph  (1),  (2),  or  (3)  cannot  be  contacted 
after  a  reasonable  effort. 

SEC.  5166.  MINORS. 

(a)  Individuals  Who  Are  18  or  Legally  Capable.— In 
the  case  of  an  individual — 

(1)  who  is  18  years  of  age  or  older,  all  rights  of  the 
individual  shall  be  exercised  by  the  individual,  except 
as  provided  in  section  5165;  or 

(2)  who,  acting  alone,  has  the  legal  capacity  to  apply 
for  and  obtain  health  care  and  has  sought  such  care, 
the  individual  shall  exercise  all  rights  of  an  individual 
under  this  part  with  respect  to  protected  health  infor- 
mation relating  to  such  care. 

(b)  Individuals  Under  18. — ^Except  as  provided  in  sub- 
section (a)(2),  in  the  case  of  an  individual  who  is — 

(1)  under  14  years  of  age,  all  the  individual's  rights 
under  this  part  shall  be  exercised  through  the  parent 
or  legal  guardian  of  the  individual;  or 

(2)  14,  15,  16,  or  17  years  of  age,  the  right  of  inspec- 
tion (under  section  5121),  the  right  of  amendment 
(under  section  5122),  and  the  right  to  authorize  disclo- 
sure of  protected  health  information  (under  section 
5132)  of  the  individual  may  be  exercised  either  by  the 
individual  or  by  the  parent  or  legal  guardian  of  the  in- 
dividual. 

SEC.  5167.  maintenance  OF  CERTAIN  PROTECTED  HEALTH 
INFORMATION. 

(a)  In  General. — State  shall  establish  a  process  under 
which  the  protected  health  information  described  in  sub- 
section (b)  that  is  maintained  by  a  person  described  in  sub- 
section (c)  is  delivered  to,  and  maintained  by,  the  State  or 
an  individual  or  entity  designated  by  the  State. 

(b)  Information  Described. — ^The  protected  health  in- 
formation referred  to  in  subsection  (a)  is  protected  health 
information  that — 

(1)  is  recorded  in  any  form  or  medium; 

(2)  is  created  by — 
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(A)  a  health  care  provider;  or 

(B)  a  health  benefit  plan  sponsor  that  provides 
benefits  in  the  form  of  items  and  services  to  en- 
roUees  and  not  in  the  form  of  reimbursement  for 
items  and  services;  and 

(3)  relates  in  any  way  to  the  past,  present,  or  future 
physical  or  mental  health  or  condition  or  functional 
status  of  a  protected  individual  or  the  provision  of 
health  care  to  a  protected  individual, 
(c)  Persons  Described. — person  referred  to  in  sub- 
section (a)  is  any  of  the  following: 

(A)  A  health  care  facility  previously  located  in 
the  State  that  has  closed. 

(B)  A  professional  practice  previously  operated 
by  a  health  care  provider  in  the  State  that  has 
closed. 

(C)  A  health  benefit  plan  sponsor  that- — 

(i)  previously  provided  benefits  in  the  form 
of  items  and  services  to  enrollees  in  the  State; 
and 

(ii)  has  ceased  to  do  business. 
Subpart  E — ^Enforcement 

SEC.  5171.  CIVIL  ACTIONS. 

(a)  In  General, — ^Any  individual  whose  right  under  this 
part  has  been  knowingly  or  negligently  violated — 

(1)  by  a  health  information  trustee,  or  any  other  per- 
son, who  is  not  described  in  paragraph  (2),  (3),  (4),  or 
(5)  may  maintain  a  civil  action  for  actual  damages  and 
for  equitable  relief  against  the  health  information 
trustee  or  other  person; 

(2)  by  an  officer  or  employee  of  the  United  States 
while  the  officer  or  employee  was  acting  within  the 
scope  of  the  office  or  employment  may  maintain  a  civil 
action  for  actual  damages  and  for  equitable  relief 
against  the  United  States; 

(3)  by  an  officer  or  employee  of  any  government  au- 
thority of  a  State  that  has  waived  its  sovereign  immu- 
nity to  a  claim  for  damages  resulting  from  a  violation 
of  this  part  while  the  officer  or  employee  was  acting 
within  the  scope  of  the  office  or  employment  may 
maintain  a  civil  action  for  actual  damages  and  for  eq- 
uitable relief  against  the  State  government; 

(4)  by  an  officer  or  employee  of  a  government  of  a 
State  that  is  not  described  in  paragraph  (3)  may  main- 
tain a  civil  action  for  actual  damages  and  for  equitable 
relief  against  the  officer  or  employee;  or 

(5)  by  an  officer  or  employee  of  a  government  au- 
thority while  the  officer  or  employee  was  not  acting 
within  the  scope  of  the  office  or  employment  may 
maintain  a  civil  action  for  actual  damages  and  for  eq- 
uitable relief  against  the  officer  or  employee. 
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(b)  Knowing  Violations— Any  individual  entitled  to  re- 
cover actual  damages  under  this  section  because  of  a 
knowing  violation  of  a  provision  of  this  part  (other  than 
subsection  (c)  or  (d)  of  section  5131)  shall  be  entitled  to  re- 
cover the  amount  of  the  actual  damages  demonstrated  or 
$5000,  whichever  is  greater. 

(c)  Actual  Damages. — ^For  purposes  of  this  section,  the 
term  "actual  damages"  includes  damages  paid  to  com- 
pensate an  individual  for  nonpecuniary  losses  such  as 
physical  and  mental  injury  as  well  as  damages  paid  to 
compensate  for  pecuniary  losses. 

(d)  Punitive  Damages;  Attorney's  Fees. — In  any  ac- 
tion brought  under  this  section  in  which  the  complainant 
has  prevailed  because  of  a  knowing  violation  of  a  provision 
of  this  part  (other  than  subsection  (c)  or  (d)  of  section 
5131),  the  court  may,  in  addition  to  any  relief  awarded 
under  subsections  (a)  and  (b),  award  such  punitive  dam- 
ages as  may  be  warranted.  In  such  an  action,  the  court,  in 
its  discretion,  may  allow  the  prevailing  party  a  reasonable 
attorney's  fee  (including  expert  fees)  as  part  of  the  costs, 
and  the  United  States  shall  be  liable  for  costs  the  same  as 
a  private  person. 

(e)  Limitation. — A  civil  action  under  this  section  may 
not  be  commenced  more  than  2  years  after  the  date  on 
which  the  aggrieved  individual  discovered  the  violation  or 
the  date  on  which  the  aggrieved  individual  had  a  reason- 
able opportunity  to  discover  the  violation,  whichever  oc- 
curs first. 

(f)  Inspection  and  Amendment. — If  a  health  informa- 
tion trustee  has  established  a  formal  internal  procedure 
that  allows  an  individual  who  has  been  denied  inspection 
or  amendment  of  protected  health  information  to  appeal 
the  denial,  the  individual  may  not  maintain  a  civil  action 
in  connection  with  the  denial  until  the  earlier  of — 

(1)  the  date  the  appeal  procedure  has  been  ex- 
hausted; or 

(2)  the  date  that  is  4  months  after  the  date  on  which 
the  appeal  procedure  was  initiated. 

(g)  No  Liability  for  Permissible  Disclosures.— A 
health  information  trustee  who  makes  a  disclosure  of  pro- 
tected health  information  about  a  protected  individual  that 
is  permitted  by  this  part  and  not  otherwise  prohibited  by 
State  or  Federal  statute  shall  not  be  liable  to  the  individ- 
ual for  the  disclosure  under  common  law. 

(h)  No  Liability  for  Institutional  Review  Board  De- 
terminations.— If  the  members  of  a  certified  institutional 
review  board  have  in  good  faith  determined  that  an  ap- 
proved health  research  project  is  of  sufficient  importance 
so  as  to  outweigh  the  intrusion  into  the  privacy  of  an  indi- 
vidual pursuant  to  section  5136(a)(1),  the  members,  the 
board,  and  the  parent  institution  of  the  board  shall  not  be 
liable  to  the  individual  as  a  result  of  such  determination. 

(i)  Good  Faith  Reliance  on  Certification.— A  health 
information  trustee  who  relies  in  good  faith  on  a  certifi- 
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cation  by  a  government  authority  or  other  person  and  dis- 
closes protected  health  information  about  an  individual  in 
accordance  with  this  part  shall  not  be  liable  to  the  individ- 
ual for  such  disclosure. 

SEC.  5172.  CIVIL  MONEY  PENALTIES. 

(a)  Violation. — ^Any  health  information  trustee  who  the 
Secretary  determines  has  demonstrated  a  pattern  or  prac- 
tice of  failure  to  comply  with  the  provisions  of  this  part 
shall  be  subject,  in  addition  to  any  other  penalties  that 
may  be  prescribed  by  law,  to  a  civil  money  penalty  of  not 
more  than  $10,000  for  each  such  failure.  In  determining 
the  amount  of  any  penalty  to  be  assessed  under  the  proce- 
dures established  under  subsection  (b),  the  Secretary  shall 
take  into  account  the  previous  record  of  compliance  of  the 
person  being  assessed  with  the  applicable  requirements  of 
this  part  and  the  gravity  of  the  violation. 

(b)  Procedures  for  Imposition  of  Penalties. — ^The 
provisions  of  section  1128A  of  the  Social  Security  Act 
(other  than  subsections  (a)  and  (b))  shall  apply  to  the  im- 
position of  a  civil  monetary  penalty  under  this  section  in 
the  same  manner  as  such  provisions  apply  with  respect  to 
the  imposition  of  a  penalty  under  section  1128A  of  such 
Act. 

SEC.  5173.  ALTERNATIVE  DISPUTE  RESOLUTION. 

(a)  In  General. — ^Not  later  than  July  1,  1996,  the  Sec- 
retary shall,  by  regulation,  develop  alternative  dispute  res- 
olution methods  for  use  by  individuals,  health  information 
trustees,  and  other  persons  in  resolving  claims  under  sec- 
tion 5171. 

(b)  Effect  on  Initiation  of  Civil  Actions.— 

(1)  In  general. — Subject  to  paragraph  (2),  the  regu- 
lations established  under  subsection  (a)  may  provide 
that  an  individual  alleging  that  a  right  of  the  individ- 
ual under  this  part  has  been  violated  shall  pursue  at 
least  one  alternative  dispute  resolution  method  devel- 
oped under  such  subsection  as  a  condition  precedent  to 
commencing  a  civil  action  under  section  5171. 

(2)  Limitation. — Such  regulations  may  not  require 
an  individual  to  refrain  from  commencing  a  civil  ac- 
tion to  pursue  one  or  more  alternative  dispute  resolu- 
tion method  for  a  period  that  is  greater  than  6 
months. 

(3)  Suspension  of  statute  of  limitations. — ^The 
regulations  established  by  the  Secretary  under  sub- 
section (a)  may  provide  that  a  period  in  which  an  indi- 
vidual described  in  paragraph  (1)  pursues  (as  defined 
by  the  Secretary)  an  alternative  dispute  resolution 
method  under  this  section  shall  be  excluded  in  com- 
puting the  period  of  limitations  under  section  5171(e). 

(c)  Methods. — The  methods  under  subsection  (a)  shall 
include  at  least  the  following: 

(1)  Arbitration.— The  use  of  arbitration. 

(2)  Medl^tion.— The  use  of  mediation. 
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(3)  Early  offers  of  settlement. — ^The  use  of  a 
process  under  which  parties  make  early  offers  of  set- 
tlement. 

(d)  Standards  for  Establishing  Methods.— In  devel- 
oping alternative  dispute  resolution  methods  under  sub- 
section (a),  the  Secretary  shall  ensure  that  the  methods 
promote  the  resolution  of  claims  in  a  manner  that — 

(1)  is  affordable  for  the  parties  involved; 

(2)  provides  for  timely  and  fair  resolution  of  claims; 
and 

(3)  provides  for  reasonably  convenient  access  to  dis- 
pute resolution  for  individuals. 

SEC.  5174.  AMENDMENTS  TO  CRIMINAL  LAW. 

(a)  In  General. — ^Title  18,  United  States  Code,  is 
amended  by  inserting  after  chapter  89  the  following: 

"CHAPTER  90— PROTECTED  HEALTH 
INFORMATION 

"Sec. 

"1831.  Definitions. 

"1832.  Obtaining  protected  health  information  under  false  pretenses. 
"1833.  Monetary  gain  from  obtaining  protected  health  information  under 
false  pretenses. 

"1834.  Knowing  and  unlawful  obtaining  of  protected  health  information. 

"1835.  Monetary  gain  fh)m  knowing  and  unlawful  obtaining  of  protected 
health  information. 

"1836.  Knowing  and  unlawful  use  or  disclosure  of  protected  health  infor- 
mation. 

"1837.  Monetary  gain  fi^m  knowing  and  unlawful  sale,  transfer,  or  use 
of  protected  health  information. 

**§  1831.  Definitions 

"As  used  in  this  chapter — 

"(1)  the  term  ^health  information  trustee'  has  the 
meaning  given  such  term  in  section  5120(b)(6)  of  the 
Health  Security  Act; 

"(2)  the  term  'protected  health  information'  has  the 
meaning  given  such  term  in  section  5120(a)(3)  of  such 
Act;  and 

"(3)  the  term  'protected  individual'  has  the  meaning 
given  such  term  in  section  5120(a)(4)  of  such  Act. 

1832.    Obtaining   protected   health  information 
under  false  pretenses 

'Whoever  under  false  pretenses — 

"(1)  requests  or  obtains  protected  health  information 
from  a  health  information  trustee;  or 

"(2)  obtains  from  a  protected  individual  an  author- 
ization for  the  disclosure  of  protected  health  informa- 
tion about  the  individual  maintained  by  a  health  infor- 
mation trustee; 
shall  be  fined  under  this  title  or  imprisoned  not  more  than 
5  years,  or  both. 
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"§1833.  Monetary  gain  from  obtaining  protected 
health  information  under  false  pretenses 

**Whoever  under  false  pretenses — 

"(1)  requests  or  obtains  protected  health  information 
from  a  health  information  trustee  with  the  intent  to 
sell,  transfer,  or  use  such  information  for  profit  or 
monetary  gain;  or 

"(2)  obtains  from  a  protected  individual  an  author- 
ization for  the  disclosure  of  protected  health  informa- 
tion about  the  individual  maintained  by  a  health  infor- 
mation trustee  with  the  intent  to  sell,  transfer,  or  use 
such  authorization  for  profit  or  monetary  gain; 
and  knowingly  sells,  transfers,  or  uses  such  information  or 
authorization  for  profit  or  monetary  gain  shall  be  fined 
under  this  title  or  imprisoned  not  more  than  10  years,  or 
both. 

"§1834.  Knowing  and  unlawful  obtaining  of  pro- 
tected health  information 

**Whoever  knowingly  obtains  protected  health  informa- 
tion from  a  health  information  trustee  in  violation  of  part 
2  of  subtitle  B  of  title  V  of  the  Health  Security  Act,  know- 
ing that  such  obtaining  is  unlawful,  shall  be  fined  under 
this  title  or  imprisoned  not  more  than  5  years,  or  both. 

"§1835.  Monetary  gain  from  knowing  and  unlawful 
obtaining  of  protected  health  information 

**Whoever  knowingly — 

"(1)  obtains  protected  health  information  from  a 
health  information  trustee  in  violation  of  part  2  of 
subtitle  B  of  title  V  of  the  Health  Security  Act,  know- 
ing that  such  obtaining  is  unlawful  and  with  the  in- 
tent to  sell,  transfer,  or  use  such  information  for  profit 
or  monetary  gain;  and 

"(2)  knowingly  sells,  transfers,  or  uses  such  informa- 
tion for  profit  or  monetary  gain; 
shall  be  fined  under  this  title  or  imprisoned  not  more  than 
10  years,  or  both. 

"§1836.  Knowing  and  unlawful  use  or  disclosure  of 
protected  health  information 

'^Whoever  knowingly  uses  or  discloses  protected  health 
information  in  violation  of  part  2  of  subtitle  B  of  title  V  of 
the  Health  Security  Act,  knowing  that  such  use  or  disclo- 
sure is  unlawful,  shall  be  fined  under  this  title  or  impris- 
oned not  more  than  5  years,  or  both. 

"§1837.  Monetary  gain  from  knowing  and  unlawful 
sale,  transfer,  or  use  of  protected  health  in- 
formation 

**Whoever  knowingly  sells,  transfers,  or  uses  protected 
health  information  in  violation  of  part  2  of  subtitle  B  of 
title  V  of  the  Health  Security  Act,  knowing  that  such  sale. 
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transfer,  or  use  is  unlawful,  shall  be  fined  under  this  title 
or  imprisoned  not  more  than  10  years,  or  both.". 

(b)  Clerical  Amendment. — ^The  table  of  chapters  for 
part  I  of  title  18,  United  States  Code,  is  amended  by  in- 
serting after  the  item  relating  to  chapter  89  the  following: 

"90.  Protected  health  information    1831". 

Subpart  F — ^Amendments  to  Title  5,  United 
States  Code 

SEC.  5181.  AMENDMENTS  TO  TITLE  5,  UNITED  STATES  CODE. 

(a)  New  Subsection. — Section  552a  of  title  5,  United 
States  Code,  is  amended  by  adding  at  the  end  the  follow- 
ing: 

"(w)  Medical  Exemptions.— The  head  of  an  agency  that 
is  a  health  information  trustee  (as  defined  in  section 
5120(b)(6)  of  the  Health  Security  Act)  shall  promulgate 
rules,  in  accordance  with  the  requirements  (including  gen- 
eral notice)  of  subsections  (b)(1),  (b)(2),  (b)(3),  (c),  and  (e) 
of  section  553  of  this  title,  to  exempt  a  system  of  records 
within  the  agency,  to  the  extent  that  the  system  of  records 
contains  protected  health  information  (as  defined  in  sec- 
tion 5120(a)(3)  of  such  Act),  from  all  provisions  of  this  sec- 
tion except  subsections  (e)(1),  (e)(2),  subparagraphs  (A) 
through  (C)  and  (E)  through  (I)  of  subsection  (e)(4),  and 
subsections  (e)(5),  (e)(6),  (e)(9),  (e)(12),  (1),  (n),  (o),  (p),  (q), 
(r),  and  (u).". 

(b)  Repeal.— Section  552a(f)(3)  of  title  5,  United  States 
Code,  is  amended  by  striking  "pertaining  to  him,"  and  all 
that  follows  through  the  semicolon  and  inserting  "pertain- 
ing to  the  individual;". 

Subpart  G — ^Regulations,  Research,  and 
Education;  Effective  Dates;  Applicability; 
and  Relationship  to  Other  Laws 

SEC.  5191.  REGULATIONS;  RESEARCH  AND  EDUCATION. 

(a)  Regulations.— Not  later  than  July  1,  1996,  the  Sec- 
retary shall  prescribe  regulations  to  carry  out  this  part. 

(b)  Research  and  Technical  Support.— The  Secretary 
may  sponsor — 

(1)  research  relating  to  the  privacy  and  security  of 
protected  health  information; 

(2)  the  development  of  consent  forms  governing  dis- 
closure of  such  information;  and 

(3)  the  development  of  technology  to  implement 
standards  regarding  such  information. 

(c)  Education. — ^The  Secretary  shall  establish  education 
and  awareness  programs — 

(1)  to  foster  adequate  security  practices  by  health  in- 
formation trustees; 
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(2)  to  train  personnel  of  health  information  trustees 
respecting  the  duties  of  such  personnel  with  respect  to 
protected  health  information;  and 

(3)  to  inform  individuals  and  employers  who  pur- 
chase health  care  respecting  their  rights  with  respect 
to  such  information. 

SEC.  5192.  EFFECTIVE  DATES. 

(a)  In  General. — Except  as  provided  in  subsection  (b), 
this  part,  and  the  amendments  made  by  this  part,  shall 
take  effect  on  January  1,  1997. 

(b)  Provisions  Effective  Immediately. — provision  of 
this  part  shall  take  effect  on  the  date  of  the  enactment  of 
this  Act  if  the  provision — 

(1)  imposes  a  duty  on  the  Secretary  to  develop,  es- 
tablish, or  promulgate  regulations,  guidelines,  notices, 
statements,  or  education  and  awareness  programs;  or 

(2)  authorizes  the  Secretary  to  sponsor  research  or 
the  development  of  forms  or  technology. 

SEC.  5193.  APPLICABILITY. 

(a)  Protected  Health  Information.— Except  as  pro- 
vided in  subsections  (b)  and  (c),  the  provisions  of  this  part 
shall  apply  to  any  protected  health  information  that  is  re- 
ceived, created,  used,  maintained,  or  disclosed  by  a  health 
information  trustee  in  a  State  on  or  after  January  1,  1997, 
regardless  of  whether  the  information  existed  or  was  dis- 
closed prior  to  such  date. 

(b)  Exception. — 

(1)  In  general. — ^The  provisions  of  this  part  shall 
not  apply  to  a  trustee  described  in  paragraph  (2),  ex- 
cept with  respect  to  protected  health  information  that 
is  received  by  the  trustee  on  or  after  January  1,  1997. 

(2)  Applicability. — ^A  trustee  referred  to  in  para- 
graph (1)  is — 

(A)  a  health  researcher;  or 

(B)  a  person  who,  with  respect  to  specific  pro- 
tected health  information,  received  the  informa- 
tion— 

(i)  pursuant  to — 

(I)  section  5137  (relating  to  emergency 
circumstances); 

(II)  section  5138  (relating  to  judicial 
and  administrative  purposes); 

(III)  section  5139  (relating  to  law  en- 
forcement); or 

(IV)  section  5140  (relating  to  subpoe- 
nas, warrants,  and  search  warrants);  or 

(ii)  while  acting  in  whole  or  in  part  in  the 
capacity  of  an  officer  or  employee  of  a  person 
described  in  clause  (i). 

(c)  Authorizations  for  Disclosures.— An  authoriza- 
tion for  the  disclosure  of  protected  health  information 
about  a  protected  individual  that  is  executed  by  the  indi- 
vidual before  January  1,  1997,  and  is  recognized  and  valid 
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under  State  law  on  December  31,  1996,  shall  remain  valid 
and  shall  not  be  subject  to  the  requirements  of  section 
5132  until  January  1,  1998,  or  the  occurrence  of  the  date 
or  event  (if  any)  specified  in  the  authorization  upon  which 
the  authorization  expires,  whichever  occurs  earlier. 

SEC.  5194.  RELATIONSHIP  TO  OTHER  LAWS. 

(a)  State  Law. — Except  as  otherwise  provided  in  sub- 
sections (b),  (c),  (d),  and  (f),  a  State  may  not  establish,  con- 
tinue in  effect,  or  enforce  any  State  law  to  the  extent  that 
the  law  is  inconsistent  with,  or  imposes  additional  require- 
ments with  respect  to,  any  of  the  following: 

(1)  A  duty  of  a  health  information  trustee  under  this 
part. 

(2)  An  authority  of  a  health  information  trustee 
under  this  part  to  disclose  protected  health  informa- 
tion. 

(3)  A  provision  of  subpart  C  (relating  to  access  pro- 
cedures and  challenge  rights),  subpart  D  (miscellane- 
ous provisions),  or  subpart  (E)  (relating  to  enforce- 
ment). 

(b)  Laws  Relating  to  Public  Health  and  Mental 
Health. — ^This  part  does  not  preempt,  supersede,  or  mod- 
ify the  operation  of  any  State  law  regarding  public  health 
or  mental  health  to  the  extent  that  the  law  prohibits  or 
regulates  a  disclosure  of  protected  health  information  that 
is  permitted  under  this  part. 

(c)  Criminal  Penalties. — ^A  State  may  establish  and  en- 
force criminal  penalties  with  respect  to  a  failure  to  comply 
with  a  provision  of  this  part. 

(d)  rtllvlLEGES. — ^A  privilege  that  a  person  has  under 
law  in  a  court  of  a  State  or  the  United  States  or  under  the 
rules  of  any  agency  of  a  State  or  the  United  States  may 
not  be  diminished,  waived,  or  otherwise  affected  by — 

(1)  the  execution  by  a  protected  individual  of  an  au- 
thorization for  disclosure  of  protected  health  informa- 
tion under  this  part,  if  the  authorization  is  executed 
for  the  purpose  of  receiving  health  care  or  providing 
for  the  payment  for  health  care;  or 

(2)  any  provision  of  this  part  that  authorizes  the  dis- 
closure of  protected  health  information  for  the  purpose 
of  receiving  health  care  or  providing  for  the  payment 
for  health  care. 

(e)  Department  of  Veterans  Affairs.— The  limitations 
on  use  and  disclosure  of  protected  health  information 
under  this  part  shall  not  be  construed  to  prevent  any  ex- 
change of  such  information  within  and  among  components 
of  the  Department  of  Veterans  Affairs  that  determine  eligi- 
bility for  or  entitlement  to,  or  that  provide,  benefits  under 
laws  administered  by  the  Secretary  of  Veterans  Affairs. 

(f)  Certain  Duties  Under  State  or  Federal  Law.— 
This  part  shall  not  be  construed  to  preempt,  supersede,  or 
modify  the  operation  of  any  of  the  following: 

(1)  Any  law  that  provides  for  the  reporting  of  vital 
statistics  such  as  birth  or  death  information. 
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(2)  Any  law  requiring  the  reporting  of  abuse  or  ne- 
glect information  about  any  individual. 

(3)  Subpart  II  of  part  E  of  title  XXVI  of  the  Public 
Health  Service  Act  (relating  to  notifications  of  emer- 
gency response  employees  of  possible  exposure  to  in- 
fectious diseases). 

(4)  The  Americans  with  Disabilities  Act  of  1990. 

(5)  Any  Federal  or  State  statute  that  establishes  a 
privilege  for  records  used  in  health  professional  peer 
review  activities. 

(g)  Secretarial  Authority. — 

(1)  Secretary  of  health  and  human  services. — ^A 
provision  of  this  part  does  not  preempt,  supersede,  or 
modify  the  operation  of  section  543  of  the  Public 
Health  Service  Act,  except  to  the  extent  that  the  Sec- 
retary of  Health  and  Human  Services  determines 
through  regulations  promulgated  by  such  Secretary 
that  the  provision  provides  greater  protection  for  pro- 
tected health  information,  and  the  rights  of  protected 
individuals,  than  is  provided  under  such  section  543. 

(2)  Secretary  of  veterans  affairs.— A  provision 
of  this  part  does  not  preempt,  supersede,  or  modify  the 
operation  of  section  7332  of  title  38,  United  States 
Code,  except  to  the  extent  that  the  Secretary  of  Veter- 
ans Affairs  determines  through  regulations  promul- 
gated by  such  Secretary  that  the  provision  provides 
greater  protection  for  protected  health  information, 
and  the  rights  of  protected  individuals,  than  is  pro- 
vided under  such  section  7332. 

Page  860,  line  9,  strike  "section  5120"  and  insert  "part  2". 

Page  867,  strike  lines  4  through  10. 

Page  867,  beginning  on  line  22,  strike  "individually"  through 
"5123(3))"  on  line  23  and  insert  "protected  health  information  (as 
defined  in  section  5120(a)(3))". 

Page  867,  beginning  on  line  25,  strike  "individually  identifiable 
information"  and  insert  "protected  health  information". 

Page  883,  line  8,  strike  "with  respect  to  its  duties"  and  insert 
"and  the  Secretary  with  respect  to  the  respective  duties  of  the 
Board  and  the  Secretary". 

Page  883,  line  11,  strike  "Board."  and  insert  "Board,  in  consulta- 
tion with  the  Secretary.". 

Page  885,  line  16,  strike  "5101  or  5120;"  and  insert  "5101;". 

Beginning  on  page  886,  strike  line  17  through  page  887,  line  2 
(and  conform  the  table  of  contents  for  title  V  accordingly). 
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Amend  section  5401  (page  948,  line  5  through  page  951,  line  3) 
to  read  as  follows  (and  conform  the  table  of  contents  for  title  V  ac- 
cordingly): 

SEC.  5401.  HEALTH  CARE  FRAUD  AND  ABUSE. 

(a)  Federal  Enforcemei)jt  by  Inspectors  General 
AND  Attorney  General. — 

(1)  Audits,  iNVESTiGAifiONS,  inspections,  and  eval- 


uations.— 

(A)  In  GENERAL.^Except  as  provided  in  sub- 
paragraph (B),  the  Inspector  General  of  each  of 
the  Department  of  Health  and  Human  Services, 
the  Department  of]  Defense,  the  Department  of 
Labor,  the  Office  of  Personnel  Management,  and 
the  Department  of  Veterans  Affairs,  and  the  At- 
torney General  shill  conduct  audits,  civil  and 
criminal  investigatibns,  inspections,  and  evalua- 
tions relating  to  the  prevention,  detection,  and 
control  of  health  care  fraud  and  abuse  in  violation 
of  any  Federal  law.  ! 

(B)  Limitation.— An  Inspector  General,  other 
than  the  Inspector  General  of  the  Department  of 
Health  and  Human  qervices,  may  not  conduct  any 
audit,  investigation,!  inspection,  or  evaluation 
under  subparagraph  (A)  with  respect  to  health 
care  fraud  or  abuse  under  title  V,  XI,  XVIII,  XIX, 
or  XX  of  the  Social  Security  Act. 

(2)  Powers. — ^For  purposes  of  canying  out  duties 
and  responsibilities  under  paragraph  (1),  each  Inspec- 
tor Greneral  referred  to  in  paragraph  (1)  may  exercise 
powers  that  are  available  to  the  Inspector  Gieneral  for 
purposes  of  audits,  investigations,  and  other  activities 
under  the  Inspector  General  Act  of  1978  (5  U.S.C. 
App.). 

(3)  Coordination  and  review  of  activities  of 
other  federal,  state,  and  local  agencies. — 

(A)  Program. — ^The  Inspector  Greneral  and  the 
Attorney  Greneral  shall — 

(i)  jointly  establish,  on  the  effective  date 
specified  in  subsection  (j)(l),  a  program  to 
prevent,  detect,  and  control  health  care  fraud 
and  abuse  in  violation  of  any  Federal  law, 
which  considers  the  activities  of  Federal, 
State,  and  local  law  enforcement  agencies, 
Federal  and  State  agencies  responsible  for  the 
licensing  and  certification  of  health  care  pro- 
viders, and  State  agencies  designated  under 
subsection  (b)(1)(A);  and 

(ii)  publish  a  description  of  the  program  in 
the  Federal  Register,  by  not  later  than  June 
30,  1995. 

(B)  Annual  investigative  plan. — ^Each  Inspec- 
tor General  referred  to  in  paragraph  (1)  and  the 
Attorney  General  shall  each  develop  an  annual  in- 
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vestigative  plan  for  the  prevention,  detection,  and 
control  of  health  care  fraud  and  abuse  in  accord- 
ance with  the  program  established  under  subpara- 
graph (A). 

(4)  Consultations. — ^Each  of  the  Inspectors  General 
referred  to  in  paragraph  (1)  and  the  Attorney  Greneral 
shall  regularly  consult  with  each  other,  with  Federal, 
State,  and  local  law  enforcement  agencies,  with  Fed- 
eral and  State  agencies  responsible  for  the  licensing 
and  certification  of  health  care  providers,  and  with 
Health  Care  Fraud  and  Abuse  Control  Units,  in  order 
to  assist  in  coordinating  the  prevention,  detection,  and 
control  of  health  care  fraud  and  abuse  in  violation  of 
any  Federal  law. 
(b)  State  Enforcement. — 

(1)  Designation  of  state  agencies  and  establish- 
ment OF  HEALTH  CARE  FRAUD  AND  ABUSE  CONTROL 
UNIT. — The  Governor  of  each  State — 

(A)  shall,  consistent  with  State  law,  designate 
agencies  of  the  State  which  conduct,  supervise, 
and  coordinate  audits,  civil  and  criminal  inves- 
tigations, inspections,  and  evaluations  relating  to 
the  prevention,  detection,  and  control  of  health 
care  fraud  and  abuse  in  violation  of  any  Federal 
law  in  the  State;  and 

(B)  may  establish  and  maintain  in  accordance 
with  paragraph  (2)  a  State  agency  to  act  as  a 
Health  Care  Fraud  and  Abuse  Control  Unit  for 
purposes  of  this  section. 

(2)  Health  care  fraud  and  abuse  control  unit 
REQUIREMENTS.— A  Health  Care  Fraud  and  Abuse 
Control  Unit  established  by  a  State  under  paragraph 
(1)(B)  shall  be  a  single  identifiable  entity  of  State  gov- 
ernment which  is  separate  and  distinct  from  any  State 
agency  with  principal  responsibility  for  the  adminis- 
tration of  hesdth  care  programs,  and  which  meets  the 
following  requirements: 

(A)  The  entity— 

(i)  is  a  unit  of  the  office  of  the  State  Attor- 
ney General  or  of  another  department  of  State 
government  that  possesses  statewide  author- 
ity to  prosecute  individuals  for  criminal  viola- 
tions; 

(ii)  is  in  a  State  the  constitution  of  which 
does  not  provide  for  the  criminal  prosecution 
of  individuals  by  a  statewide  authority,  and 
has  formal  procedures,  approved  by  the  Sec- 
retary, that  assure  it  will  refer  suspected 
criminal  violations  relating  to  health  care 
fraud  or  abuse  in  violation  of  any  Federal  law 
to  the  appropriate  authority  or  authorities  of 
the  State  for  prosecution  and  assure  it  will  as- 
sist such  authority  or  authorities  in  such 
prosecutions;  or 
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(iii)  has  a  formal  working  relationship  with 
the  office  of  the  State  Attorney  General  or  the 
appropriate  authority  or  authorities  for  pros- 
ecution and  has  formal  procedures  (including 
procedures  under  which  it  will  refer  suspected 
criminal  violations  to  such  office),  that  pro- 
vide effective  coordination  of  activities  be- 
tween the  Health  Care  Fraud  and  Abuse  Con- 
trol Unit  and  such  office  with  respect  to  the 
detection,  investigation,  and  prosecution  of 
suspected  health  care  fraud  or  abuse  in  viola- 
tion of  any  Federal  law. 

(B)  The  entity  conducts  a  statewide  program  for 
the  investigation  and  prosecution  of  violations  of 
all  applicable  State  laws  regarding  any  and  all  as- 
pects of  health  care  fraud  and  abuse  in  violation 
of  any  Federal  law. 

(C)  The  entity  has  procedures  for — 

(i)  reviewing  complaints  of  the  abuse  or  ne- 
glect of  patients  of  health  care  facilities  in  the 
State,  and 

(ii)  where  appropriate,  investigating  and 
prosecuting  such  complaints  under  the  crimi- 
nal laws  of  the  State  or  for  referring  the  com- 
plaints to  other  State  or  Federal  agencies  for 
action. 

(D)  The  entity  provides  for  the  collection,  or  re- 
ferral for  collection  to  the  appropriate  agency,  of 
overpayments  that — 

(i)  are  made  under  any  federally  funded  or 
mandated  health  care  program  required  by 
this  Act,  and 

(ii)  it  discovers  in  canying  out  its  activities. 

(E)  The  entity  employs  attorneys,  auditors,  in- 
vestigators, and  other  necessary  personnel,  is  or- 
ganized in  such  a  manner,  and  provides  sufficient 
resources,  as  is  necessary  to  promote  the  effective 
and  efficient  conduct  of  its  activities. 

(3)  Submission  of  annual  plan.— Each  Health 
Care  Fraud  and  Abuse  Control  Unit  may  submit  each 
year  to  the  Inspector  General  and  the  Attorney  Gen- 
eral a  plan  for  preventing,  detecting,  and  controlling, 
consistent  with  the  program  established  under  sub- 
section (a)(3)(A),  health  care  fraud  and  abuse  in  viola- 
tion of  any  Federal  law. 

(4)  Approval  of  annual  plan. — ^The  Inspector  Gen- 
eral shall  approve  a  plan  submitted  under  paragraph 
(3)  by  the  Health  Care  Fraud  and  Abuse  Control  Unit 
of  a  State,  unless  the  Inspector  General  establishes 
that  the  plan — 

(A)  is  inconsistent  with  the  program  established 
under  subsection  (a)(3)(A);  or 

(B)  will  not  enable  the  agencies  of  the  State  des- 
ignated imder  paragraph  (1)(A)  to  prevent,  detect. 
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and  control  health  care  fraud  and  abuse  in  viola- 
tion of  any  Federal  law. 

(5)  Reports. — Each  Health  Care  Fraud  and  Abuse 
Control  Unit  shall  submit  to  the  Inspector  General  an 
annual  report  containing  such  information  as  the  In- 
spector General  determines  to  be  necessary. 

(6)  Semiannual  reports  of  inspector  general  of 
HEALTH  AND  HUMAN  SERVICES. — ^The  Inspector  General 
shall  include  in  each  semiannual  report  of  the  Inspec- 
tor General  to  the  Congress  under  section  5(a)  of  the 
Inspector  General  Act  of  1978  (5  U.S.C.  App.)  an  as- 
sessment of  the  Inspector  Greneral  of  how  well  States 
are  preventing,  detecting,  and  controlling  health  care 
fraud  and  abuse. 

(c)  Payments  to  States. — 

(1)  In  general. — For  each  year  for  which  a  State 
has  a  plan  approved  under  subsection  (b)(4),  and  sub- 
ject to  the  availability  of  appropriations,  the  Inspector 
General  shall  pay  to  the  State  for  each  quarter  an 
amount  equal  to  75  percent  of  the  sums  expended  dur- 
ing the  quarter  by  agencies  designated  by  the  Grov- 
emor  of  the  State  under  subsection  (b)(1)(A)  in  con- 
ducting activities  described  in  that  subsection. 

(2)  Time  of  payment. — ^The  Inspector  General  shall 
make  a  payment  under  paragraph  (1)  for  a  quarter  by 
not  later  than  30  days  after  the  end  of  the  quarter. 

(3)  Payments  are  additional. — Payments  to  a 
State  under  this  subsection  shall  be  in  addition  to  any 
amounts  paid  under  subsection  (g). 

(d)  Data  Sharing.— The  Inspector  General  and  the  At- 
torney General  shall  jointly  establish  a  program  for  the 
sharing  among  Federal  agencies.  State  and  local  law  en- 
forcement agencies,  and  health  care  providers  and  insur- 
ers, consistent  with  data  sharing  provisions  of  subtitle  B, 
of  data  related  to  possible  health  care  fraud  and  abuse  in 
violation  of  any  Federal  law. 

(e)  Health  Care  Fraud  and  Abuse  Control  Ac- 
count.— 

(1)  ESTABLISHMENT.—There  is  established  on  the 
books  of  the  Treasury  of  the  United  States  a  separate 
account,  which  shall  be  known  as  the  Health  Care 
Fraud  and  Abuse  Control  Account.  The  Account  shall 
consist  of — 

(A)  the  Health  Care  Fraud  and  Abuse  Expenses 
Subaccount;  and 

(B)  the  Health  Care  Fraud  and  Abuse  Reserve 
Subaccount. 

(2)  Expenses  subaccount. — 

(A)  Contents. — ^The  Expenses  Subaccount  con- 
sists of — 

(i)  amounts  deposited  under  subparagraph 
(B);  and 
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(ii)  amounts  transferred  from  the  Reserve 
Subaccount  and  deposited  under  paragrkph 
(3)(B). 

(B)  Deposits. — ^Except  as  provided  in  paragraph 
(3)(A),  there  shall  be  deposited  in  the  Expenses 
Subaccount  eill  amounts  received  by  the  United 
States  as — 

(i)  fines  for  health  care  fraud  and  abuse  in 
violation  of  any  Federal  law; 

(ii)  civil  penalties  or  damages  (other  than 
restitution)  in  actions  under  section  3729  or 
3730  of  title  31,  United  States  Code  (com- 
monly referred  to  as  the  "False  Claims  Act"), 
that  are  based  on  health  care  fraud  and  abuse 
in  violation  of  any  Federal  law; 

(iii)  administrative  penalties  under  the  So- 
cial Security  Act; 

(iv)  proceeds  of  seizures  and  forfeitures  of 
property  for  acts  or  omissions  that  constitute 
health  care  fraud  or  abuse  in  violation  of  any 
Federal  law;  and 

(v)  money  and  proceeds  of  property  that  are 
accepted  under  subsection  (f). 

(C)  Use. — ^Amounts  in  the  Expenses  Subaccount 
shall  be  available  to  the  Inspector  General  and 
the  Attorney  Greneral,  under  such  terms  and  con- 
ditions as  the  Inspector  General  and  the  Attorney 
General  jointly  determine  to  be  appropriate,  for — 

(i)  paying  expenses  incurred  by  their  respec- 
tive agencies  in  carrying  out  activities  under 
subsection  (a);  and 

(ii)  making  reimbursements  to  other  Inspec- 
tors Greneral  and  j  Federal,  State,  and  local 
agencies  in  accordsince  with  subsection  (g). 

(3)  Reserve  subaccount.— 

(A)  Deposits. — An  amount  otherwise  required 
under  paragraph  (2)(A)  to  be  deposited  in  the  Ex- 
penses Subaccount  in  d  fiscal  year  shall  be  depos- 
ited in  the  Reserve  Subaccount,  if — 

(i)  the  amount  in  the  Expenses  Subaccount 
is  greater  than  $500,000,000;  and 

(ii)  the  deposit  of  that  amount  in  the  Ex- 
penses Subaccount  would  result  in  the 
amount  in  the  Expenses  Subaccount  exceed- 
ing 110  percent  of  the  total  amount  deposited 
in  the  Expenses  Subaccount  in  the  preceding 
fiscal  year. 

(B)  Transfers  to  expenses  subaccount. — 

(i)  Estimation  of  shortfall.— Not  later 
than  the  first  day  of  the  last  quarter  of  each 
fiscal  year,  the  Inspector  Greneral  (in  consulta- 
tion with  the  Attorney  Greneral)  shall  estimate 
whether  sufiicient  amounts  will  be  available 
during  such  quarter  in  the  Expenses  Sub- 
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account  for  the  uses  described  in  paragraph 

(2)(C). 

(ii)  Transfer  to  cover  shortfall.— If  the 
Inspector  Greneral  estimates  under  clause  (i) 
that  there  will  not  be  available  sufficient 
amounts  in  the  Expenses  Subaccount  during 
the  last  quarter  of  a  fiscal  year,  there  shall  be 
transferred  from  the  Reserve  Subaccount  and 
deposited  in  the  Expenses  Subaccount  such 
amount  as  the  Inspector  General  estimates  is 
required  to  ensure  that  sufficient  amounts  are 
available  in  the  Expenses  Subaccount  during 
such  quarter. 
(C)  Limitation  on  amount  carried  over  to 
SUCCEEDING  FISCAL  YEAR. — ^There  shall  be  trans- 
ferred to  the  general  fund  of  the  Treasury  any 
amount  remaining  in  the  Reserve  Subaccount  at 
the  end  of  a  fiscal  year  (after  any  transfer  made 
under  subparagraph  (B))  in  excess  of  10  percent  of 
the  total  amount  authorized  to  be  deposited  in  the 
Expenses  Subaccount  (consistent  with  subpara- 
graph (A))  during  the  fiscal  year. 

(f)  Acceptance  of  Gifts,  Bequests,  and  Devises.— The 
Attorney  General  or  any  Inspector  General  referred  to  in 
subsection  (a)(1)  may  accept,  use,  and  dispose  of  gifts,  be- 
quests, or  devises  of  services  or  property  (real  or  personal), 
for  the  purpose  of  aiding  or  facilitating  activities  under 
this  section  regarding  health  care  fraud  and  abuse.  Gifts, 
bequests,  or  devises  of  money  and  proceeds  from  sales  of 
other  property  received  as  gifts,  bequests,  or  devises  shall 
be  deposited  in  the  Account  and  shall  be  available  for  use 
in  accordance  with  subsection  (e)(2)(C). 

(g)  Reimbursements  of  Expenses  and  Other  Pay- 
ments TO  Participating  Agencies.— 

(1)  Reimbursement  of  expenses  of  federal  agen- 
cies.— The  Inspector  General  and  the  Attorney  Gen- 
eral, subject  to  the  availability  of  amounts  in  the  Ac- 
count, shall  jointly  and  promptly  reimburse  Federal 
agencies  for  expenses  incurred  in  carrying  out  sub- 
section (a). 

(2)  Payments  to  state  and  local  law  enforce- 
ment AGENCIES. — ^The  Inspector  General  and  the  At- 
torney General,  subject  to  the  availability  of  amounts 
in  the  Account,  shall  jointly  and  promptly  pay  to  any 
State  or  local  law  enforcement  agency  that  partici- 
pated directly  in  any  activity  which  led  to  deposits  in 
the  Account,  or  property  the  proceeds  of  which  are  de- 
posited in  the  Account,  an  amount  that  reflects  gen- 
erally and  equitably  the  participation  of  the  agency  in 
the  activity. 

(3)  Funds  used  to  supplement  agency  appropria- 
tions.— It  is  intended  that  disbursements  made  from 
the  Account  to  any  Federal  agency  be  used  to  increase 
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and  not  supplant  the  recipient  agency's  appropriated 
operating  budget. 

(h)  Account  Payments  Advisory  Board.— 

(1)  Establishment.— There  is  established  the  Ac- 
count Payments  Advisory  Board,  which  shall  make 
recommendations  to  the  Inspector  General  and  the  At- 
torney General  regarding  the  equitable  allocation  of 
payments  from  the  Account. 

(2)  Membership.— The  Board  shall  consist  of— 

(A)  each  of  the  Inspectors  General  referred  to  in 
subsection  (a)(1),  other  than  the  Inspector  General 
of  the  Department  of  Health  and  Human  Services; 
and 

(B)  10  members  appointed  by  the  Inspector  Gen- 
eral of  the  Department  of  Health  and  Human 
Services  to  represent  Health  Care  Fraud  and 
Abuse  Control  Units,  of  whom  one  shall  be  ap- 
pointed— 

(i)  for  each  of  the  10  regions  established  by 
the  Director  of  the  Ofiice  of  Management  and 
Budget  under  Office  of  Management  and 
Budget  Circular  A- 105,  to  represent  Units  in 
that  region;  and 

(ii)  from  among  individuals  recommended 
by  the  heads  of  those  agencies  in  that  region. 

(3)  Terms. — ^The  term  of  a  member  of  the  Board  ap- 
pointed under  paragraph  (2)(B)  shall  be  3  years,  ex- 
cept that  of  such  members  first  appointed  3  members 
shall  serve  an  initial  term  of  one  year  and  3  members 
shall  serve  an  initial  term  of  2  years,  as  specified  by 
the  Inspector  J  General  at  the  time  of  appointment. 

(4)  Vacancies.— A  vacancy  on  the  Board  shall  be 
filled  in  the  same  manner  in  which  the  original  ap- 
pointment was  made,  except  that  an  individual  ap- 
pointed to  fill  a  vacancy  occurring  before  the  expira- 
tion of  the  term  for  which  the  individual  is  appointed 
shall  be  appointed  only  for  the  remainder  of  that  term. 

(5)  Chairperson  and  bylaws.— The  Board  shall 
elect  one  of  its  members  as  chairperson  and  shall 
adopt  bylaws. 

(6)  Compensation  and  expenses. — Members  of  the 
Board  shall  serve  without  compensation,  except  that 
the  Inspector  General  may  pay  the  expenses  reason- 
ably incurred  by  the  Board  in  carrying  out  its  func- 
tions under  this  section. 

(7)  No  TERMINATION. — Section  14(a)(2)  of  the  Fed- 
eral Advisory  Committee  Act  (5  U.S.C.  App.)  does  not 
apply  to  the  Board. 

(i)  Definitions.— In  this  section: 

(1)  Account. — ^The  term  "Account"  means  the 
Health  Care  Fraud  and  Abuse  Control  Account  estab- 
lished by  subsection  (e)(  1). 
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(2)  Expenses  subaccount. — The  term  "Expenses 
Subaccount"  means  the  Health  Care  Fraud  and  Abuse 
Expenses  Subaccount  of  the  Account. 

(3)  Health  care  fraud  and  abuse  control 
UNIT. — ^The  term  "Health  Care  Fraud  and  Abuse  Con- 
trol Unit"  means  such  a  unit  established  by  a  State  in 
accordance  with  subsection  (b)(2). 

(4)  Inspector  general. — Except  as  otherwise  pro- 
vided, the  term  "Inspector  General"  means  the  Inspec- 
tor General  of  the  Department  of  Health  and  Human 
Services 

(5)  Reserve  subaccount. — ^The  term  "Reserve  Sub- 
account" means  the  Health  Care  Fraud  and  Abuse  Re- 
serve Subaccount  of  the  Account. 

(j)  Effective  Date. — 

(1)  In  general. — Except  as  provided  in  paragraph 
(2),  this  section  shall  take  effect  on  January  1,  1996. 

(2)  Development  and  publication  of  description 
OF  PROGRAM. — Subsection  (a)(3)(A)  shall  take  effect  on 
the  date  of  the  enactment  of  this  Act. 

Report  on  Subtitle  B  of  Title  V 

PURPOSE  AND  summary— fair  HEALTH  INFORMATION  PRACTICES 

The  purpose  of  the  Fair  Health  Information  Practices  Part  of  the 
Health  Security  Act  is  to  establish  a  code  of  fair  information  prac- 
tices for  health  information  that  originates  in  or  becomes  a  part  of 
the  health  treatment  or  payment  system.  The  part  establishes  uni- 
form federal  rules  that  will  apply  to  covered  health  information  in 
all  states. 

There  are  two  basic  concepts  in  the  Act.  Identifiable  health  infor- 
mation that  is  created  or  used  during  the  health  treatment  or  pay- 
ment process  is  protected  health  information.  In  general,  protected 
health  information  remains  subject  to  statutory  restriction  no  mat- 
ter how  it  is  used  or  disclosed. 

The  second  basic  concept  is  that  of  a  health  information  trustee. 
Almost  everyone  who  has  access  to  protected  health  information  be- 
comes a  health  information  trustee  under  the  part.  Health  care 
providers,  benefit  plans  and  carriers,  oversight  agencies,  and  public 
health  authorities  are  health  information  trustees.  Others  who  ob- 
tain protected  health  information  infrequently — such  as  health  re- 
searchers and  law  enforcement  agencies — are  also  health  informa- 
tion trustees. 

The  responsibilities  and  authorities  for  each  trustee  have  been 
carefully  defined  to  balance  each  individual's  right  to  privacy  and 
the  need  for  confidentiality  in  the  health  treatment  process  against 
legitimate  societal  needs  such  as  public  health,  health  research, 
cost  containment,  and  law  enforcement.  Trustees  are  required  to — 
limit  disclosure  of  protected  health  information  to  the  mini- 
mum necessary  to  accomplish  the  purpose; 

use  protected  hesdth  information  only  for  a  purpose  that  is 
compatible  with  and  directly  related  to  the  purpose  for  which 
the  information  was  collected  or  obtained  by  the  trustee; 
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maintain  appropriate  administrative,  technical,  and  physical 
safeguards  to  protect  integrity  and  privacy  of  health  informa- 
tion; 

disclose  protected  health  information  only  for  an  authorized 
purpose;  and 

maintain  an  accounting  of  the  date,  nature,  and  purpose  of 
any  disclosure  of  protected  health  information. 
Individual  rights  vary  slightly  depending  on  which  trustee  main- 
tains protected  health  information.  For  health  information  used  in 
treatment,  pajonent,  or  oversight,  individuals  have  the  right  to — 
inspect  and  have  a  copy  of  their  health  information; 
seek  correction  of  health  information  that  is  not  timely,  accu- 
rate, relevant,  or  complete;  and 

receive  a  notice  explaining  their  rights  and  how  their  infor- 
mation may  be  used. 
The  Fair  Health  Information  Practices  Part  includes  several  en- 
forcement mechanisms,  including  criminal  penalties  (up  to  ten 
years  in  prison),  civil  remedies,  and  civil  money  penalties  that  may 
be  imposed  by  the  Secretary  of  Health  and  Human  Services.  In  ad- 
dition, the  part  provides  for  alternate  dispute  resolution  as  another 
mechanism  for  resolving  disputes. 

The  Fair  Health  Information  Practices  Part  is  based  on  the  Fair 
Health  Information  Practices  Act  of  1994  (H.R.  4077)  which  was  in- 
troduced on  March  17,  1994,  by  Rep.  Gary  Condit,  Chairman  of  the 
Subcommittee  on  Information,  Justice,  Transportation,  and  Agri- 
culture. 

BACKGROUND  AND  NEED  FOR  FAIR  HEALTH  INFORMATION  PRACTICES  i 
Right  to  privacy 

There  is  no  doubt  about  the  views  of  the  public  on  the  impor- 
tance of  privacy  of  health  records.  A  recent  poll  conducted  by  Louis 
Harris  and  Associates  for  Equifax,  Inc.,  found  that  an  overwhelm- 
ing majority  (eighty-five  percent)  of  the  public  believe  that  protect- 
ing the  confidentiality  of  health  records  is  absolutely  essential  or 
very  important  in  national  health  care  reform.  According  to  Dr. 
Alan  Westin,  the  public  put  this  priority  even  ahead  of  reform 
goals  such  as  providing  health  insurance  for  those  who  do  not  have 
it,  reducing  paperwork  burdens  on  patients  and  providers,  and  ob- 
taining better  data  for  medical  research.^ 

The  basic  constitutional  principles  of  individual  privacy  were 
well  stated  over  fifty  years  ago  by  Justice  Brandeis  in  his  famous 
dissent  in  Olmstead  v.  United  States: 

The  makers  of  our  Constitution  undertook  to  secure  con- 
ditions favorable  to  the  pursuit  of  happiness.  They  recog- 
nized the  significance  of  man's  spiritual  nature,  of  his  feel- 
ings and  of  his  intellect  *  *  *.  They  conferred,  as  against 


'  The  Subcommittee  on  Information,  Justice,  Transportation,  and  Agriculture  held  four  days 
of  hearings  on  health  care  confidentiality  issues.  The  first,  titled  "Health  Reform,  Health 
Records,  Computers  and  Confidentiality",  was  held  on  November  4,  1993.  The  other  three  were 
legislative  hearings  on  the  Fair  Health  Information  Practices  Act  of  1994  (H.R.  4077).  The  hear- 
ing dates  were  April  20,  1994;  May  4,  1994;  and  May  5,  1994.  The  legislative  hearings  are  here- 
inafter cited  as  "H.R.  4077  Hearings".  All  hearings  will  be  printed. 

2  Testimony  of  Dr.  Alan  Westin,  Professor  of  PubHc  Law  and  Government,  Columbia  Univer- 
sity, at  H.R.  4077  Hearings  (April  20,  1994).  Dr.  Westin  was  the  academic  advisor  to  the  Harris- 
Equifax  poll.  See  "Health  Information  Privacy  Survey  1993." 
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the  Government,  the  right  to  be  let  alone — ^the  most  com- 
prehensive of  rights  and  the  right  most  valued  by  civilized 
man.  To  protect  that  right,  every  unjustifiable  intrusion  by 
the  Grovemment  upon  the  privacy  of  the  individual,  what- 
ever the  means  employed  must  be  deemed  a  violation  of 
the  fourth  amendment.^ 

The  view  that  privacy  is  a  fundamental  constitutional  right  was 
endorsed  by  the  Congress  in  the  Privacy  Act  of  1974,  which  in- 
cluded a  specific  finding  that  the  "right  to  privacy  is  a  personal  and 
fundamental  right  protected  by  the  Constitution  of  the  United 
States."  In  several  decisions,  the  Supreme  Court  has  recognized  a 
constitutional  right  to  privacy.  Of  particular  relevance  to  a  discus- 
sion of  health  records  is  Whalen  v.  Roe.^  This  case  involved  a  New 
York  State  statute  that  required  pharmacists  and  physicians  to  re- 
port the  names  of  patients  receiving  certain  t3rpes  of  prescription 
drugs  to  state  officials.  The  law  was  found  to  be  constitutional  on 
two  grounds:  the  societal  interests  served  by  the  statute  (fighting 
illegal  use  of  legal  drugs),  and  the  extensive  confidentiality  protec- 
tions included  in  the  law.  The  case  illustrates  the  types  of  compel- 
ling demands  that  can  be  placed  on  health  information  as  well  as 
the  importance  of  confidentiality  protections  when  sensitive  health 
information  is  used  for  other  purposes.  The  case  also  illustrates 
that  protection  of  health  records  may  raise  constitutional  issues 
and  that  whatever  constitutional  protection  is  available  for  health 
records  is  subject  to  a  balance  of  interests.^ 

The  Miller  decision 

There  are  clearly  significant  limitations  on  the  constitutional 
right  to  privacy.  Some  of  these  limitations  are  well-illustrated  by 
the  1976  Supreme  Court  decision  in  United  States  v.  Miller '^^  a 
case  involving  the  ability  of  the  government  to  obtain  sensitive  per- 
sonal information  from  banks. 

In  Miller,  the  Supreme  Court  reaffirmed  the  traditional  legal 
standard  that  a  customer's  account  records  in  a  bank  are  not  the 
private  papers  of  the  customer.  As  a  result,  the  individual  has  no 
legal  right  to  challenge  access  to  the  records  by  the  government  or 


3  277  U.S.  438(1928) 

^PubUc  Law  93-579,  § 2(a)(4),  5  U.S.C.  §552a  note  (1988). 
5  429  U.S.  589(1977). 

<*The  Court  concluded  its  opinion  with  these  words:  "A  final  word  about  issues  we  have  not 
decided.  We  are  not  unaware  of  the  threat  to  privacy  implicit  in  the  accumulation  of  vast 
amounts  of  personal  information  in  computerized  data  banks  or  other  massive  government  files. 
The  collection  of  taxes,  the  distribution  of  welfare  and  social  security  benefits,  the  supervision 
of  public  health,  the  direction  of  our  Armed  Forces  and  the  enforcement  of  the  criminal  laws, 
all  require  the  orderly  preservation  of  great  quantities  of  information,  much  of  which  is  personal 
in  character  and  potentially  embarrassing  or  harmful  if  disclosed.  The  right  to  collect  and  use 
such  data  for  public  purposes  is  typically  accompanied  by  a  concomitant  statutory  or  regulatory 
duty  to  avoid  imwarranted  disclosures.  Kecognizing  that  in  some  circumstances  that  duty  argu- 
ably has  it  roots  in  the  Constitution,  nevertheless  New  York's  statutory  scheme,  and  its  imple- 
menting administrative  procedures,  evidence  a  proper  concern  with,  and  protection  of,  the  indi- 
vidual's interest  in  privacy.  We  therefore  need  not,  and  do  not,  decide  any  question  which  might 
be  presented  by  the  imwarranted  disclosure  of  acciunulated  private  data— whether  intentional 
or  unintentional — or  by  a  system  that  did  not  contain  comparable  security  provisions.  We  simply 
hold  that  this  record  does  not  estabUsh  an  invasion  of  any  right  or  Uberty  protected  by  the  Four- 
teenth Amendment."  429  U.S.  605-06  (footnote  omitted).  The  Supreme  Court  also  discussed  the 
impUcations  of  computerized  systems  containing  personal  information  in  Reporters  Committee 
for  Freedom  of  the  Press  v.  Department  of  Justice,  489  U.S.  749  (1989).  See  also  the  testimony 
of  Professor  Paul  Schwartz  in  H.R.  4077  Hearings  (May  4,  1994)  (prepared  statement  at  12- 
13). 

'425  U.S.  435  (1976). 


69 


anyone  else.  A  bank  customer  has  no  right  to  notice  of  a  subpoena 
for  the  records  of  his  or  her  account  from  a  bank  and  no  legal 
standing  to  protest  the  subpoena. 

The  stark  significance  of  Miller  becomes  clearer  in  light  of  the 
change  in  the  way  that  most  people  organize  their  financial  affairs. 
Before  checking  accounts  and  credit  cards  were  universally  avail- 
able, personal  financial  information  was  only  available  directly 
from  the  individual.  When  the  individual  under  investigation  by 
the  government  has  the  records  being  sought,  the  constitutional 
protections  against  governmental  intrusion  work  well.  Yet  when 
that  same  information  is  held  by  a  third  party,  such  as  a  bank  or 
credit  grantor,  the  Supreme  Court  held  that  the  individual  has  no 
protection  against  governmental  intrusion,  although  the  informa- 
tion is  just  as  sensitive  and  just  as  personal.  The  result  is  that 
changes  in  technology,  social  and  financial  relationships,  and  infor- 
mation policy  and  practice  have  also  changed  the  rights  of  citizens 
to  control  personal  information. 

Miller  has  no  direct  applicability  to  health  records.  Nevertheless, 
there  is  reason  to  believe  that  a  case  involving  access  to  health 
records  would  have  the  same  result.  Robert  Belair,  then  Counsel  to 
the  National  Commission  on  Confidentiality  of  Health  Records,  tes- 
tified that  the  Supreme  Court  might  well  see  Miller  as  precedent 
for  health  records. ^  The  Committee  agrees  that  there  is  a  substan- 
tial risk  that  Miller  would  be  applied  to  health  records.  The  Com- 
mittee concludes  that  legislation  to  foreclose  this  possibility  is  es- 
sential. 

This  will  not  be  the  first  time  that  Congress  has  acted  to  modify 
the  effect  of  Miller.  Based  in  part  on  a  recommendation  of  the  Pri- 
vacy Protection  Study  Commission,^  the  95th  Congress  enacted  the 
Right  to  Financial  Privacy  Act.^^  This  law  protected  the  confiden- 
tiality of  personal  financial  records  maintained  by  financial  institu- 
tions by  limiting  the  ability  of  the  federal  government  to  obtain 
those  records.  The  Right  to  Financial  Privacy  Act  provides  an  indi- 
vidual with  a  right  to  notice  and  an  opportunity  to  challenge  a  re- 
quest from  a  federal  agency  for  records  about  the  individual  held 
by  a  bank  or  other  financial  institution. This  was  the  first  in  a 
series  of  federal  laws  passed  with  the  express  purpose  of  limiting 
the  effect  of  Miller. 

The  Cable  Communications  Policy  Act  of  1984  ^2  also  took  a  cue 
from  the  recommendations  of  the  Privacy  Protection  Study  Com- 
mission regarding  Miller The  Act  provides  that  a  governmental 
entity  may  obtain  individually  identifiable  information  concerning 
a  cable  subscriber  pursuant  to  court  order  only  if  the  subject  of  the 


*  "Privacy  of  Medical  Records,"  Hearings  before  a  Subcomm.  of  the  House  Comm.  on  Govern- 
ment Operations,  96th  Cong.,  1st  Sess.  238-239  (1979)  [hereinafter  cited  as  "1979  House  Hear- 
ings"]. 

^Privacy  Protection  Study  Commission,  "Personal  Privacy  in  an  Information  Society"  (1977) 
[hereinafter  cited  as  "PPSC  Report"]. 

'0  Public  Law  95-630,  title  XI,  92  Stat.  3697  (1978),  12  U.S.C.  §3401-3421  (1988). 

' '  Later  amendments  significantly  weakened  the  limited  privacy  protections  that  were  origi- 
nally included  in  the  Right  to  Financial  Privacy  Act. 

'^Public  Law  98-549,  98  Stat.  2780  (1984). 

'3 See  House  Comm.  on  Energy  and  Commerce,  H.R.  Rep.  No.  98-934,  98th  Cong.,  2d  Sess. 
78-79  (1984)  (report  to  accompany  H.R.  4103). 
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information  is  afforded  the  opportunity  to  appear  and  contest  the 
order. 

The  Electronic  Communications  Privacy  Act  of  1986 was  also 
passed  with  the  intention  of  changing  the  effect  of  the  Miller  deci- 
sion on  customer  records  maintained  by  persons  offering  remote 
computing  services.  This  Act  requires  notice  to  the  customer  of  a 
government  subpoena  for  the  contents  of  electronic  communications 
in  a  remote  computing  service. 

The  Video  Privacy  Protection  Act  of  1988  was  passed  to  provide 
customers  of  video  rental  service  providers  with  notice  of  a  govern- 
ment warrant  or  subpoena  for  records  in  the  possession  of  the  pro- 
viders. This  too  was  passed  with  an  awareness  of  the  rec- 
ommendations of  the  Privacy  Protection  Study  Commission  that 
the  Miller  decision  should  be  overtumed.^o 

The  Committee  concludes  that  there  is  ample  precedent  for  legis- 
lation overturning  Miller  for  specific  categories  of  records  about  in- 
dividuals that  are  maintained  by  third  party  record  keepers.  The 
Committee  also  concludes  that  it  is  of  the  utmost  importance  that 
health  records  receive  the  highest  degree  of  protection  afforded  to 
any  category  of  personal  records  maintained  by  third  party  record 
keepers.  There  is  no  justification  for  having  lesser  privacy  protec- 
tions for  medical  records  than  for  cable  television  or  video  rental 
records.  While  it  is  beyond  the  scope  of  the  current  legislation, 
there  may  be  a  need  to  reconsider  the  consequences  of  Miller  for 
all  personal  information  maintained  by  third  party  record  keepers. 

Secondary  use  of  health  information 

A  health  record  has  become  a  rich  repository  of  information  for 
people  and  institutions  who  are  not  directly  involved  in  the  health 
treatment  and  pa3nnent  process.  Few  patients  or  providers  are 
aware  of  the  extent  of  these  secondary  uses.  According  to  one  com- 
mentator: 

The  value  of  medical  information  for  uses  outside  the 
medical  treatment  and  payment  system  has  not  been  pop- 
ularly recognized,  and  even  medical  professionals  are 
largely  unaware  of  the  many  uses  to  which  the  information 
may  be  put.  Medical  information  increasingly  is  used  to 
make  nonmedical  decisions  about  individuals  as  well  as  for 
purposes  unrelated  to  the  individuals  who  are  the  subject 
of  the  records.2i 

In  a  1977  publication,  the  American  Medical  Record  Associa- 
tion 22  identified  twelve  broad  categories  of  social  users  and  twenty- 
four  ways  that  health  information  is  used  outside  the  treatment 
and  payment  process.  The  users  are:  public  health  agencies;  medi- 


'4  47  U.S.C.  §551(hX2)  (1988). 

"Public  Law  99-508,  100  Stat.  1848  (1986). 

'^House  Comm.  on  the  Judiciary,  H.R.  Rep.  No.  99-647,  99th  Cong.,  2d  Sess.  72-73  (1986) 
(report  to  accompany  H.R.  4952). 
'n8  U.S.C.  §2703(1988). 

'sPubUc  Law  100-618,  102  Stat.  3195  (1988),  18  U.S.C.  §2710  (1988). 
'9  18  U.S.C.  §2709(1988). 

20  Senate  Comm.  on  the  Judiciary,  S.  Rep.  No.  100-599,  100th  Cong.,  2d  Sess.  2-3  (1988)  (re- 
port to  accompany  S.  2361). 

2'  Gellman,  "Prescribing  Privacy:  The  Uncertain  Role  of  the  Physician  in  the  Protection  of  Pa- 
tient Privacy,"  62  North  CaroUna  Law  Review  255,  261  (1984)  [hereinafter  cited  as  "Gellman"]. 

22  Now  the  American  Health  Information  Management  Association. 
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cal  and  social  researchers;  rehabilitation  and  social  welfare  pro- 
grams; employers;  insurance  companies;  federal,  state,  and  local 
government  agencies;  education  institutions;  judicial  institutions; 
law  enforcement  and  investigation  agencies;  credit  investigation 
agencies;  accrediting,  licensing  and  certifying  organizations;  and 
the  media. 23  A  comparable  list  compiled  today  would  almost  cer- 
tainly include  additional  users  and  additional  ways  that  health  in- 
formation is  used. 

These  secondary  uses  of  records  are  not  without  risk  to  the  sub- 
jects of  the  records.  In  his  classic  study  of  health  records.  Professor 
Alan  Westin  observed  that  the  disclosure  of  health  information  can 
have  an  enormous  impact  on  people's  lives — 

It  affects  decision  on  whether  they  are  hired  or  fired; 
whether  they  can  secure  business  licenses  and  life  insur- 
ance; whether  they  are  permitted  to  drive  cars;  whether 
they  are  placed  under  police  surveillance  or  labelled  a  se- 
curity risk;  or  even  whether  they  can  get  nominated  for 
and  elected  to  political  office.^'* 

Rep.  Nydia  Velazquez  testified  about  a  personal  experience  involv- 
ing the  leaking  of  her  health  records  during  a  political  campaign. 
While  the  purpose  of  the  leak  was  to  affect  the  campaign,  the  per- 
sonal effects  on  Rep.  Velazquez  and  her  family  were  harrowing. 
She  noted  that  in  some  states,  it  is  easier  to  obtain  a  person's  med- 
ical history  than  it  is  to  obtain  the  records  of  that  person's  video 
rentals.  25 

The  consequences  of  improper  disclosure  of  health  information 
can  be  severe.  But  it  is  the  routine  disclosure  and  use  of  health  in- 
formation that  may  pose  the  greatest  risk  to  the  privacy  interests 
of  the  average  consumer.  The  growing  computerization  of  health  in- 
formation is  increasing  both  the  supply  of  health  data  and  the  de- 
mand for  that  data.  A  recent  report  by  the  Institute  of  Medicine 
identifies  many  potential  users  of  information  maintained  by 
health  database  organizations,  a  developing  class  of  entities  that 
collect  and  facilitate  the  sharing  of  health  data  on  patients  and 
providers. 26  Similarly,  a  report  from  the  Office  of  Technology  As- 
sessment (OTA)  about  computerized  medical  information  refers  to 
the  "tremendous  outward  flow  of  information  generated  in  the 
health  care  relationship  today"  and  to  the  "expanded  use  of  medical 
records  for  nontreatment  purposes."  The  report  also  suggests  the 
possibility  of  a  "proliferation  of  private  sector  computer  databases 
and  data  exchanges  without  regulation,  statutory  guidance,  or  re- 
course for  persons  wronged  by  abuse  of  data."  27 

There  is  already  a  significant  demand  for  health  data  about  indi- 
viduals for  use  in  direct  marketing.  This  is  a  category  of  users  that 


23  American  Medical  Record  Association,  Confidentiality  of  Patient  Health  Information:  A  Posi- 
tion Statement  of  the  American  Medical  Record  Association  5-6  (1977),  reprinted  in  1979  House 
Hearings  at  326-27. 

24 Alan  F.  Westin,  "Computers,  Health  Records,  and  Citizen's  Rights"  60  (U.S.  Department  of 
Commerce)  (1976).  A  more  recent  review  of  privacy  and  health  information  reached  the  same 
conclusion.  See  Institute  of  Medicine,  "Health  Data  in  the  Information  Age:  Use,  Disclosure,  and 
Privacy,"  chapter  4,  pages  4-5  (1994)  [hereinafter  cited  as  "lOM  Health  Data  Report"]. 

25  H.R.  4077  Hearings  (April  20,  1994). 

26  See  generally  lOM  Health  Data  Rejwrt. 

27  Office  of  Technology  Assessment,  "Protecting  Privacy  in  Computerized  Medical  Information" 
44  (1993)  [hereinafter  cited  as  "OTA  Medical  Privacy  Report"]. 
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was  not  identified  by  the  American  Medical  Records  Association  in 
1977.  Marketing  and  mailing  list  companies  compile  and  sell  lists 
of  individuals  with  a  variety  of  ailments.  For  example,  one  mailing 
list  company  maintains  a  database  of  15  million  individuals,  in- 
cluding: 2.7  million  hypertensives;  2.2  million  hyper- 
cholesterolemics;  226,000  angina  sufferers;  1  million  diabetics;  3.5 
million  arthritics;  6  million  allergy  sufferers;  1  million  heavy  ant- 
acid users;  281,000  estrogen  replacement  patients;  459,000  gastritis 
sufferers;  and  150,000  osteoporosis  sufferers.^s 

This  database  also  includes  the  names  of  Alzheimer's  patients, 
individuals  with  bladder  control  problems,  and  Parkinson's  disease 
sufferers.29  The  same  firm  merges  the  medical  data  with  behavioral 
and  demographic  information  from  a  lifestyle  database.^o  Primary 
users  of  the  data  are  reported  to  be  pharmaceutical  companies.^i 
The  patients,  however,  may  not  be  the  only  target  of  marketing  ef- 
forts. Sales  to  nonprofit  groups  wishing  to  target  the  families  of 
sufferers  are  under  consideration.  ^2  The  Committee  is  not  aware  of 
any  legal  restrictions  on  the  purchase  and  sale  of  personally  identi- 
fiable health  information  from  this  database. 

To  develop  the  database,  the  company  used  answers  from  ques- 
tionnaires sent  to  consumers.33  According  to  Loma  Christie,  Senior 
Vice  President  of  the  Direct  Marketing  Association,  others  use  the 
ability  to  capture  the  names  of  callers  to  800  telephone  numbers 
as  a  way  of  identifjdng  hay  fever  sufferers.^'^  Other  sources  of  per- 
sonal health  information  cited  by  Christie  include  club  member- 
ships, pharmacies,  and  sign-up  sheets  in  doctor's  offices.^^  Super- 


28Schultz,  "Carlson,  Metromail  Offer  Medical  Data",  DM  News  (Jiine  21,  1993). 

29  Id. 

30  Id. 
3' Id. 

32  Id. 

33  For  a  description  of  how  personal  medical  information  is  collected  for  use  in  direct  market- 
ing, see  Erik  Larson,  'The  Naked  Consumer",  72-74  (1992).  Larson  explains  how  information 
about  pregnant  women  and  new  mothers  is  collected  and  used  for  direct  mao-keting.  Id.  at  79- 
97. 

34  Christie,  "Health  Data  and  the  Private  Sector"  in  "Health  Records:  Social  Needs  and  Per- 
sonal Privacy",  31  (1993)  (conference  proceedings).  In  another  reported  use  of  800  numbers,  a 
company  offered  a  toll-free  number  to  consumers  (aimed  primarily  at  older  women)  who  wanted 
information  about  incontinence  pads.  The  company  then  offered  the  hst  of  names  for  sale,  to- 
gether with  the  caller's  age,  income,  and  other  information.  See  Carnevale,  "Caller  ID  Services 
Accused  of  Invading  Individual's  Privacjr",  Wall  Street  Journal  at  B2  (June  25,  1993).  See  also 
DM  News  at  2  (June  21,  1993). 

35  Christie,  "Health  Data  and  the  Private  Sector"  in  "Health  Records:  Social  Needs  and  Per- 
sonal Privacy",  30  (1993)  (conference  proceedings).  It  is  unclear  whether  consimiers  who  engage 
in  any  of  these  activities  or  disclosures  are  informed  of  the  extent  to  which  their  personal  infor- 
mation may  be  used.  Whether  these  consvuners  are  informed  that  the  information  can  be  added 
to  maiUng  Usts  and  sold  commercially  is  also  imclear.  For  a  discussion  of  the  use  of  identifiable 
information  about  consumers  collected  at  supermarkets,  see  "Data  Protection,  Computers,  and 
Changing  Information  Practices",  Hearing  before  the  Subcomm.  on  Government  Information, 
Justice,  and  Agriculture,  House  Comm.  on  Government  Operations,  101st  Cong.,  2d  Sess.  (1990). 
In  one  supermarket  program,  the  notice  of  uses  and  disclosures  states:  "Since  your  purchases 
will  be  automatically  recorded,  this  allows  us  to  provide  you  with  otJier  special  offers  and  infor- 
mation about  items  that  may  be  of  interest  to  you — ^both  from  our  stores  and  from  other  care- 
fully screened  companies.  If  you  do  not  wish  to  receive  coupons,  offers  or  other  information, 
please  check  the  box  below."  Id.  at  119.  The  adequacy  of  these  notices  was  identified  by  other 
witnesses  as  a  critical  question:  "The  critical  question  is,  is  the  consent  informed?  Does  the  cus- 
tomer know  in  fact  how  the  information  is  going  to  be  used?  As  I  said  before,  I  don't  think  there 
is  anything  wrong  with  companies  becoming  more  responsive  to  the  needs  of  the  customers.  I 
do  think  tiiere  is  something  wrong  when  information  is  gathered  and  used  in  a  way  that  the 
customer  would  likely  object  to  if  he  or  she  know  what  was  taking  place."  Id.  at  121  (testimony 
of  Marc  Rotenberg,  Director,  Washington  Office,  Computer  Professionals  for  Social  Responsibil- 
ity). 
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markets  also  may  be  a  source  of  information  about  consumers.36 
Another  example  reported  by  Christie  involved  a  blood  bank  that 
marketed  lists  of  consumers  who  had  blood  tests.  Christie  cited  the 
sale  of  data  from  a  blood  bank  as  an  example  of  using  and  market- 
ing health  data  inappropriately. 37  It  is  not  clear  whether  any  of 
these  collection  techniques  included  notice  to  consumers  about  the 
intended  sale  of  data  or  offered  consumers  the  ability  to  approve 
or  veto  the  sale  of  their  information. 

Professor  Paul  Schwartz  of  the  University  of  Arkansas  Law 
School  at  Fayetteville  testified  about  the  use  of  health  information 
by  marketers: 

The  protection  for  medical  information  is  so  weak  in  this 
country  that  marketing  lists  detailing  the  most  sensitive 
information  about  citizens  are  for  sale.  Here  is  additional 
proof  of  the  failure  of  current  legal  regulation.  Johnson  & 
Johnson  has  compiled  a  list  for  sale  of  five  million  elderly, 
incontinent  American  women.  Another  company  has  adver- 
tised lists  containing  the  names  of  six  million  allergy  suf- 
ferers, 700,000  people  with  bleeding  gums,  and  67,000 
with  epilepsy.  Other  citizens  appear  on  a  mailing  list  as 
suitable  consumers  of  products  intended  for  impotent  mid- 
dle-aged men.  38 

The  OTA  report  found  that  other  private  sector  repositories  of 
patient  information  were  being  developed  and  implemented.  One 
company  provides  interactive  communications  services  to  physi- 
cians in  exchange  for  a  modest  fee  and  an  agreement  by  the  physi- 
cian to  watch  certain  promotional/educational  materials.  The  physi- 
cian maintains  patient  records  on  the  computer  system  and  allows 
the  service  provider  to  use  aggregate  clinical  data  for  commercial 
purposes.39  In  another  example  cited  by  OTA,  a  private  company 
collects  identifiable  records  of  prescription  drug  use  and  sells  the 
database  for  use  in  marketing.  It  appears  that  patient  identifiers 
are  now  stripped  before  sale,  but  this  may  not  have  always  been 
true."*^  The  Institute  of  Medicine  report  notes  that  the  purchase  of 
Medco  Containment  Services,  a  mail-order  prescription  firm,  by 
Merck  &  Company,  was  based  in  part  on  the  value  of  the  informa- 
tion in  its  databases  to  influence  physician  prescribing  practices.'^^ 
Other  similar  mergers  and  acquisitions  between  drug  manufactur- 
ers and  prescription  fulfillment  firms  are  in  process. 

Whatever  the  source  of  the  health  information  used  in  market- 
ing, these  examples  illustrate  that  there  is  a  demand  for  health 
data  about  identified  individuals  and  that  there  are  companies  that 
will  collect  and  sell  data  to  fill  that  demand.  Not  all  companies  are 
willing  to  trafiic  in  personal  medical  data,  but  it  is  apparent  that 


36  Christie,  "Health  Data  and  the  Private  Sector"  in  "Health  Records:  Social  Needs  and  Per- 
sonal Privacy",  30  (1993)  (conference  proceedings),  at  31.  The  sale  of  health-related  information 
by  retailers  of  non-prescription  drugs  and  remedies  is  beyond  the  scope  of  the  legislation.  Traf- 
ficking in  this  type  of  personal  healtib  data  (e.g.,  purchasers  of  over-the-counter  allergy  and  hem- 
orrhoid remedies)  is  not  subject  to  any  legislative  or  regulatory  controls  at  this  time.  The  propri- 
ety of  trafficking  in  identifiable  health-related  information  without  the  express  consent  of  con- 
sumers after  full  disclosure  of  all  uses  and  disclosures  of  the  data  is  questionable. 

37  Id.  at  31. 

38H.R.  4077  Hearings  (May  4,  1994)  (footnotes  omitted). 
39  OTA  Medical  Privacy  Report  at  33. 
^Id.  at  35. 

lOM  Health  Data  Report  at  chapter  4,  page  5. 
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some  are.  Powerful  computers  combine  medical  information  with 
other  demographic  and  personal  data  to  enhance  the  value  of  the 
list  being  sold.  One  consequence  is  the  creation  of  more  detailed 
consumer  profiles  that  combine  data  previously  maintained  in  sep- 
arate databases  or  by  independent  organizations.  OTA  notes  that 
"the  private  sector  has  begun  now  to  respond  to  a  strong  commer- 
cial incentive  to  aggregate  medical  information."  OTA  also  notes 
that  businesses  with  access  to  identifiable  information  who  are  in- 
volved in  selling  aggregate  patient  data  "operate  under  no  regu- 
latory guidelines  regarding  security  measures,  employee  practices, 
or  licensing  requirements." 

The  growing  demand  for  and  supply  of  health  information  for 
uses  that  are  far  removed  from  the  health  treatment  and  payment 
process  make  it  imperative  to  establish  a  system  of  controls  for 
identifiable  health  information  that  limits  the  unrestricted  spread 
of  that  information.  Existing  legal  and  ethical  rules  governing  pa- 
tient data  are  inadequate  to  cope  with  modem  public  and  private 
sector  information  practices.  Even  in  those  places  where  a  physi- 
cian operates  under  strict  ethical  or  legal  restrictions,  data  may 
lose  its  protection  when  the  physician  shares  it  in  the  ordinary 
course  of  business  with  a  computer  service  company,  an  insurance 
claims  processor,  or  an  office  management  company.  It  is  no  longer 
sufficient  to  have  rules  that  apply  only  to  some  persons  who  have 
access  to  identifiable  patient  information.  To  be  effective  and  mean- 
ingful, rules  must  apply  whenever  patient  data  moves  from  the 
treatment  and  payment  system  to  other  places.  The  expanding  use 
of  identifiable  patient  data  in  the  unregulated  consumer  marketing 
arena  is  also  a  serious  concern  and  one  that  may  require  addition^ 
scrutiny  in  the  near  future. 

Abuse  of  health  information 

Rules  for  protecting  health  information  cannot  be  limited  to  eval- 
uating the  propriety  of  uses  by  those  who  are  lawfully  in  possession 
of  the  data.  Evidence  developed  by  the  Committee  in  1979  suggests 
that  surreptitious  trafficking  in  health  information  may  be  common 
and  nationwide.  Strong  criminal  penalties  are  needed  to  deter  and 
punish  those  who  may  be  tempted  to  use  health  information  im- 
properly. 

The  best  documented  American  example  of  abuse  of  health 
records  comes  from  Denver,  Colorado.  Beginning  in  1975,  the  Den- 
ver District  Attorney  and  a  grand  jury  began  an  investigation  of 
the  theft  of  health  records.  They  found  that  for  over  twenty-five 
years,  a  private  investigative  reporting  company  known  as  Factual 
Services  Bureau,  Inc.,  engaged  in  a  nationwide  business  of  obtain- 
ing health  information  without  the  consent  of  the  patient. 

The  company's  investigators  tjrpically  posed  as  doctors  and 
sought  medical  information  by  telephone  from  public  and  private 
hospitals,  clinics,  and  doctors'  offices,  including  psychiatrists'  of- 
fices. The  company  paid  hospital  employees  to  smuggle  out  health 
records.  Another  technique  involved  the  use  of  false  pretenses 
through  mail  solicitations.  The  company  was  successful  in  obtain- 


42  OTA  Medical  Privacy  Report  at  30. 

43  Id.  at  31. 
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ing  health  records  most  of  the  time,  and  it  even  advertised  its  abil- 
ity to  acquire  health  records. 

The  customers  of  Factual  Services  Bureau  included  over  one  hun- 
dred of  the  most  prominent  insurance  companies  in  the  country.  In 
a  search  of  the  Denver  office  of  Factual  Services  Bureau,  the  Dis- 
trict Attorney  found  almost  two  thousand  reports  to  insurance  com- 
panies. These  reports  frequently  included  detailed  medical  informa- 
tion about  individuals  that  was  obtained  without  the  knowledge  or 
consent  of  the  individuals.  No  insurance  company  ever  reported 
this  questionable  activity  to  law  enforcement  authorities. 

In  June  1976,  the  Denver  grand  jury  issued  a  special  report  to 
the  Privacy  Protection  Study  Commission.  The  report  stated  that 
trafficking  in  patient  records  was  a  nationwide  problem:  "From  the 
evidence,  it  is  clear  that  the  problem  with  respect  to  the  privacy 
of  medical  records  in  this  jurisdiction  exists  in  many  cities  and  ju- 
risdictions across  the  nation." 

In  testimony  submitted  during  1979  hearings,  Denver  District 
Attorney  Dale  Tooley  said:  "I  find  it  difficult  to  believe  that  there 
are  not  or  have  not  been  similar  enterprises  engaged  in  this  profit- 
able, surreptitious  business."  '^^ 

Additional  direct  evidence  that  this  type  of  trafficking  in  health 
information  is  widespread  in  this  country  is  hard  to  find  because 
there  have  been  no  investigations  focusing  on  health  records  in  re- 
cent years.  However,  evidence  of  illegal  trafficking  in  other  types 
of  personal  information  is  easy  to  find.  For  example,  the  General 
Accounting  Office  recently  reported  on  misuse  of  criminal  history 
information  maintained  by  the  National  Crime  Information  Center 
(NCIC).'^^  GAO  found  that  the  NCIC  system  was  vulnerable  to  mis- 
use, that  misuse  occurred  throughout  the  NCIC  system,  and  that 
some  misuse  was  intentional.  A  limited  review  by  GAO  found  sixty- 
two  examples  involving  misuse,  including  these  two: 

The  California  Department  of  Justice  received  a  com- 
plaint from  a  person  who  suspected  his  employer  of  obtain- 
ing a  copy  of  his  criminal  record  from  the  NCIC's  [Inter- 
state Identification  Index]  file.  A  search  of  the  state  sys- 
tem's audit  trail  showed  that  the  record  had  been  accessed 
by  a  law  enforcement  agency  in  the  eastern  United  States. 
Apparently,  the  employer  had  hired  a  private  investigator, 
located  in  the  eastern  United  States,  to  conduct  back- 
ground searches  on  prospective  employees.  The  complain- 
ant's criminal  history  record  was  allegedly  sold  to  the  pri- 
vate investigator  by  an  officer  in  a  law  enforcement  agen- 
cy.47 

A  private  investigator  paid  several  city  employees  to  con- 
duct NCIC  record  searches.  During  the  service  of  a  search 
warrant  at  the  investigator's  office  in  an  unrelated  fraud 
matter,  state  investigators  discovered  records  indicating 
that  payments  had  been  made  for  NCIC  records  and  noti- 
fied the  Colorado  Bureau  of  Investigation.  The  ensuing  in- 


^PPSC  Report  at  285. 
45 1979  House  Hearings  at  1066. 
General  Accounting  Office,  "National  Crime  Information  Center:  Legislation  Needed  to 
Deter  Misuse  of  Criminal  Justice  Information"  (GAO/r-GGD-93-41)  (1993). 
47  Id.  at  24. 
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quiry,  with  the  cooperation  of  the  district  attorney,  re- 
sulted in  the  indictment  of  several  individuals.^*^ 

These  examples  are  similar  to  the  illegal  buying  and  selling  of  per- 
sonal information  uncovered  by  the  Denver  grand  jury. 

Other  types  of  sensitive  personal  records  are  also  routinely 
bought  and  sold.  One  recent  investigation  found  a  nationwide  net- 
work of  information  brokers  who  obtained  information  from  the 
NCIC,  the  National  Law  Enforcement  Telecommunications  System, 
the  Military  Personnel  Records  Center,  the  Social  Security  Admin- 
istration, the  telephone  companies,  and  others.  The  information 
was  provided  in  exchange  for  money  by  insiders  who  knew  that  it 
was  against  the  law  and  policy  of  their  agency  or  company.'*^  There 
is  even  evidence  of  open  solicitation  through  newspaper  advertising 
of  the  ability  to  obtain  records  that  are  legally  protected  against 
improper  disclosure.^o 

Evidence  supporting  the  notion  that  there  is  routine  illegal  traf- 
ficking in  health  information  also  comes  from  Canada.  In  1979,  Mr. 
Justice  Horace  Krever,  Commissioner  of  the  Royal  Commission  of 
Inquiry  into  the  Confidentiality  of  Health  Records  in  Ontario,  Can- 
ada, testified  before  the  Subcommittee  on  Government  Information 
and  Individual  Rights.^i  The  Royal  Commission  of  Inquiry  had  its 
origins  in  press  stories  about  abuse  of  confidential  health  informa- 
tion. Mr.  Justice  Krever  testified  that  at  the  time  the  inquiry 
began,  no  one  had  any  clear  idea  of  the  extent  of  the  violation  of 
confidentiality  or  that  many  violations  were  in  the  private  casualty 
insurance  sector.52 

The  Royal  Commission  found  that  the  acquisition  of  health  infor- 
mation by  private  investigators  without  patient  consent  and 
through  false  pretenses  was  widespread.  During  a  14-month  period, 
the  Royal  Commission  heard  from  over  500  witnesses,  including 
private  investigative  firms,  insurance  companies,  hospitals,  and 
others.  For  the  years  1976  and  1977,  the  Royal  Commission  found 
that  there  were  hundreds  of  attempts  made  in  Ontario  to  acquire 
health  information  from  hospitals  and  doctors;  well  over  half  of  the 
attempts  were  successful.  Several  investigative  firms  went  out  of 
business  as  a  result  of  the  Royal  Commission's  work. ^ 3 

So  many  insurance  companies  were  found  to  have  been  using 
health  information  obtained  under  false  pretenses  that  the  Insur- 
ance Bureau  of  Canada  made  a  general  admission  to  the  Royal 
Commission  that  its  members  had  gathered  medical  information 
through  various  sources  without  the  authorization  of  the  patient. 
Many  members  of  the  Insurance  Bureau  of  Canada  are  subsidiaries 
of  American  insurance  companies.  Some  investigative  agencies  that 
obtained  information  under  false  pretenses  are  also  subsidiaries  of 
American  companies.^^ 


48  Id.  at  26. 

See  "Sale  of  Criminal  History  Records,"  Hearing  before  the  Subcomm.  on  Civil  and  Constitu- 
tional Rights  of  the  House  Comm.  on  the  Judiciary,  102d  Cong.,  2d  Sess.  7  (1992)  (Serial  No. 
87)  (testimony  of  David  F.  Nemecek,  Federal  Bureau  of  Investigation). 
50  Id. 

5'  1979  House  Hearings  at  499-553. 

52  Id.  at  508. 

53  Id.  at  508-536. 

54  Id.  at  538-41,  549-51. 
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Mr.  Justice  Krever  testified  that  he  was  "very  much  surprised"  ^5 
by  the  abuses  of  health  information  that  the  Royal  Commission  un- 
covered. He  also  testified  that  he  suspected  that  the  practices  oc- 
curred not  only  in  Ontario  but  throughout  all  of  North  America. ^6 

Because  of  the  similarities  between  the  Canadian  and  American 
casualty  insurance  industry  and  the  private  investigation  industry, 
this  Committee  inferred  in  a  1980  report  that  the  same  techniques 
for  acquiring  health  information  that  were  used  in  Canada  were 
also  used  in  the  United  States.  The  techniques  used  by  the  Factual 
Services  Bureau  were  identical  to  those  common  in  Canada.  All  of 
the  people  involved  in  the  Denver  and  Canadian  investigations 
have  stated  their  view  that  the  practices  were  common  throughout 
the  United  States.57 

A  recent  book  on  privacy  and  computers  by  Jeffrey  Rothfeder  in- 
cluded this  description  of  the  collection  of  personal  information  in 
America — 

[IJnformation  about  every  move  we  make — ^buying  a  car 
or  a  home,  applying  for  a  loan,  taking  out  insurance,  pur- 
chasing potato  chips,  requesting  a  government  grant,  get- 
ting turned  down  for  credit,  going  to  work,  seeing  a  doc- 
tor— is  fed  into  dozens  and  dozens  of  separate  databases 
owned  by  the  credit  bureaus,  the  government,  banks,  in- 
surance companies,  direct-marketing  companies,  aind  other 
interested  corporations.  And  from  these  databases  it's 
broadcast  to  thousands  and  thousands  of  regional 
databanks  as  well  as  to  numerous  information  resellers 
across  the  country.  Then  the  data  is  shipped  to  millions  of 
computers  on  corporate  desktops  or  in  people's  homes 
throughout  the  country.^s 

The  legal  use  of  personal  information  is  disturbing  enough. 
Rothfeder  also  documented  the  underground  or  illegal  use  of  per- 
sonal data: 

The  information  underground  taps  into  legitimate  data 
sellers — ^they're  highly  active  customers  of  the  credit  bu- 
reaus, motor  vehicle  agencies,  and  real  estate  databanks, 
for  instance — and  also  buys  data  from  illicit  suppliers, 
such  as  bank  and  medical  networks.^^ 

The  Institute  of  Medicine  (lOM)  also  expressed  alarm  about  the  ac- 
quisition and  use  of  medical  information  through  illegal  or  unethi- 
cal means.^ 

Based  on  past  investigations  and  on  more  recent  evidence  of 
widespread,  legal  and  illegal  buying  and  selling  of  personal  infor- 
mation protected  by  law,  the  Committee  sees  no  reason  to  change 
the  1980  conclusion  that  there  is  routine  trafficking  in  health 
records  in  the  United  States.  If  anything,  organized  trafficking  in 
personal  records,  both  legal  and  illegal,  may  have  increased  in  the 


55  Id.  at  543. 

56  Id.  at  508,  511. 

57  See  Comm.  on  Government  Operations,  H.R.  Rep.  No.  96-832,  Part  I,  96th  Cong.,  2d  Sess. 
27  (1980)  (report  to  accompany  H.R.  5935). 

58  Jeffrey  Rothfeder,  "Privacy  For  Sale"  22-3  (1992). 

59  Id.  at  64. 

«>IOM  Health  Data  Report  at  chapter  4,  page  18-19. 
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last  fifteen  years.  Clear  rules  and  strong  penalties  are  needed  in 
order  to  prevent  the  dozens  of  secondary  users  from  responding  to 
commercial  and  other  pressures  to  msike  greater  use — illegal  or 
otherwise — of  health  information  in  their  possession. 

Inadequate  legal  and  ethical  guidance 

Federal  legislation  to  establish  fair  information  practices  stand- 
ards for  he^th  information  is  also  needed  because  existing  con- 
fidentiality rules  are  inadequate.  This  has  been  a  consistent  finding 
of  studies  in  recent  years. 

The  Office  of  Technology  Assessment  recently  completed  a  review 
focusing  on  health  privacy  and  computers.  OTA  noted  that  privacy 
of  health  care  information  has  been  primarily  protected  through  a 
patchwork  system  of  ethical  obligations  and  legal  rights.  OTA 
found,  however,  that  this  system  is  inadequate. 

The  present  system  of  protection  for  health  care  information 
offers  a  patchwork  of  codes;  State  laws  of  varying  scope; 
and  Federal  laws  applicable  to  only  limited  kinds  of  infor- 
mation, or  information  maintained  specifically  by  the  Fed- 
eral Governments^ 

OTA  reached  this  blunt  conclusion: 

The  present  legal  scheme  does  not  provide  consistent,  com- 
prehensive protection  for  privacy  in  health  care  informa- 
tion, whether  it  exists  in  a  paper  or  computerized  environ- 
ment.s^ 

The  Institute  of  Medicine  review  of  health  privacy  found  three 
weaknesses  in  legal  confidentiality  protections  for  health  records. 
First,  the  degree  to  which  confidentiality  is  required  varies  accord- 
ing to  the  holder  of  the  information  and  the  type  of  information 
held.  Second,  legal  obligations  often  vary  widely  within  a  single 
state  and  from  state  to  state.  Third,  current  laws  offer  patients  lit- 
tle real  protection  against  redisclosure.  The  lOM  found  that 
"[rjedisclosure  practices  represent  a  yawning  gap  in  confidentiality 
protection."63 

Another  commentator  has  written  about  the  failure  of  traditional 
legal  and  ethical  confidentiality  principles  to  help  physicians  in  re- 
solving conflicts  over  the  use  of  health  information: 

Now  that  medical  records  are  a  more  reliable  and  com- 
prehensive source  of  information  about  patients,  requests 
for  the  disclosure  of  identifiable  medical  information  are 
made  more  frequently  and  by  a  wider  variety  of  institu- 
tions than  ever  before.  As  patient  information  is  increas- 
ingly sought  for  purposes  not  directly  related  to  medical 
treatment,  conflicts  over  the  use  of  medical  records  become 
more  acute.  Because  the  complexity  of  the  physician's  re- 
sponsibility has  not  been  fully  recognized,  however,  tradi- 
tional legal  and  ethical  confidentiality  principles  provide 
little  assistance  in  resolving  these  conflicts.^'* 


OTA  Medical  Privacy  Report  at  12-13  (original  emphasis). 
62  Id.  (original  emphasis). 

"  lOM  Health  Data  Report  at  chapter  4,  page  12. 
64Gellman  at  255. 
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The  Workgroup  for  Electronic  Data  Interchange  (WEDI),  an  in- 
dustry-led group  established  to  examine  the  potential  for  uniform 
electronic  billing,  reached  a  similar  conclusion: 

Myriad  laws  and  regulations  require  providers  to  main- 
tain health  information  in  a  confidential  manner.  These 
legal  parameters  are  difficult  to  catalog  because  confiden- 
tiality has  historically  been  addressed  at  the  state  level, 
with  each  state  crafting  its  own  unique  approach.  The 
state  rules  are  superimposed  on  a  federal  regulatory 
framework.  The  result:  a  morass  of  erratic  law,  both  statu- 
tory and  judicial,  defining  the  confidentiality  of  health  in- 
formation.65 

Several  witnesses  at  an  initial  hearing  held  by  the  Subcommittee 
on  Information,  Justice,  Transportation,  and  Agriculture  offered 
similar  views.  Robert  Johnson,  representing  the  American  Hospital 
Association,  testified  about  the  shortcomings  of  existing  laws  and 
regulations.  He  also  said  that  administrative  efficiencies  would  re- 
sult from  uniform  laws  governing  patient  information: 

As  we  begin  to  build  a  nationwide  information  infra- 
structure, we  must  examine  the  currently  inconsistent 
laws  and  regulations  which  govern  the  exchange  of  patient 
information.  Many  state  and  federal  laws  create  obstacles 
to  the  legitimate  sharing  of  health  information  that  could 
5deld  better  patient  care,  administrative  savings,  and  more 
efficient  patient  management.  For  example,  some  states 
prohibit  the  use  of  computerized  record  systems  by  requir- 
ing that  orders  be  written  in  ink,  often  referred  to  as  the 
"quill  pen"  laws  or  by  restricting  the  permissible  health 
record  storage  media  to  the  original  paper  or  microfilm. 

Moreover,  payers  and  providers  that  operate  in  more 
than  one  state  are  required  to  comply  with  a  multitude  of 
different  rules,  which  adds  to  administrative  inefficiency. 
The  obligation  of  complying  with  individual — often  incon- 
sistent— state  laws  and  regulations  is  overly  burdensome 
and  costly. 

Despite  this  plethora  of  state  laws,  most  of  which  in- 
clude some  form  of  confidentiality  protection,  identifiable 
health  care  information  still  remains  vulnerable  to  unau- 
thorized disclosures.  Furthermore,  many  state  laws  do  not 
address  key  issues,  like  the  patient's  right  to  see,  copy, 
and  correct  his  or  her  own  records,  and  the  obligations  of 
anyone  who  comes  in  contact  with  individually  identifiable 
health  care  information — including  but  not  limited  to  pay- 
ers, providers,  processing  vendors,  storage  vendors  and  uti- 
lization review  organizations — to  protect  confidentiality.  As 
a  result,  the  current  system  promotes  confusion  over  con- 


"  Workgroup  for  Electronic  Data  Interchange,  "Report  to  Secretary  of  U.S.  Department  of 
Health  and  Human  Services"  at  Appendix  4,  page  5  (1992). 
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fidentiality  rights  with  varymg  requirements  from  state  to 
state.^ 

Kathleen  Frawley,  representing  the  American  Health  Informa- 
tion Management  Association,  testified  about  the  need  for  uniform-  1 
ity  £ind  the  failure  of  the  states  to  enact  uniform  health  informa-  ' 
tion  legislation:  i 

Many  states  have  enacted  legislation  modeled  after  the 
[Federal]  Privacy  Act.  It  has  been  recognized,  however, 
that  there  is  a  need  for  more  uniformity  among  the  50 
states.  In  recent  years,  the  National  Conference  of  Com- 
missioners on  Uniform  State  Laws  developed  the  Uniform 
Health  Care  Information  Act  in  an  attempt  to  stimulate 
uniformity  among  states  on  health  care  information  man- 
agement issues.  Presently,  only  two  states,  Montana  and 
Washington,  have  enacted  this  model  legislation.  Clearly, 
efforts  must  be  directed  toward  developing  national  stand- 
ards to  support  the  evolution  of  the  computer-based  pa- 
tient record.^'' 

Janlori  Goldman,  Director  of  the  American  Civil  Liberties 
Union's  Privacy  and  Technology  Project  testified  about  the  need  for 
a  uniform  federal  law  and  about  how  the  existing  patchwork  ap- 
proach can  hamper  health  reform: 

The  outcome  of  this  piecemeal,  state  by  state,  approach 
to  protecting  the  privacy  and  security  of  health  care  infor- 
mation will  be  contradictory  and  detrimental  to  both  the 
individuals  and  the  goals  of  health  care  reform.  Relegating 
the  protection  of  health  care  information  to  the  states'  dif- 
ferent guidelines,  policies  and  laws  leaves  individuals  sub- 
ject to  wavering  degrees  of  privacy  protection  depending 
upon  where  they  receive  their  health  care.  In  some  in- 
stances, this  means  that  individuals  traveling  across  coun- 
ty or  state  lines  to  receive  necessary  medical  treatment 
may  lose  their  abihty  to  control  how  their  health  care  in- 
formation is  used. 

Such  a  patchwork  approach  to  health  information  pri- 
vacy will  hamper  a  national  system.  The  various  states 
and  localities  with  rules  governing  the  use  of  health  care 
information  may  even  be  prevented  from  sharing  health 
care  information  contained  in  their  systems  with  neighbor- 
ing states  that  insufficiently  protect  privacy.  Thus,  there  is 
a  clear  need  for  a  uniform  federal  law  that  will  protect  in- 
dividuals' health  care  information  and  provide  guidance  to 
the  states  and  localities  engaged  in  health  care  reform.^^ 

The  OTA  report  suggests  that  the  growing  use  of  computers  is 
putting  even  more  pressure  on  the  existing  system  of  piecemeal 
protection  and  that  existing  patient  protections  will  become  in- 
creasingly ineffective: 


•^"Health  Reform,  Health  Records,  Computers  and  Confidentiality",  Hearing  before  the  Infor- 
mation, Justice,  Transportation,  and  Aj^culture  Subcomm.  of  the  House  Comm.  on  Government 
Operations,  103rd  Cong.,  1st  Sess.  (1993)  (to  be  printed). 

6' Id. 

68  Id. 
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As  a  result  of  the  linkage  of  computers,  patient  informa- 
tion will  no  longer  be  maintained,  be  accessed,  or  even  nec- 
essarily originate  with  a  single  institution,  but  will  instead 
travel  among  a  myriad  of  facilities.  As  a  result,  the  limited 
protection  to  privacy  of  health  care  information  now  in 
place  will  be  further  strained.  Existing  models  for  data  pro- 
tection, which  place  responsibility  for  privacy  on  individual 
institutions,  will  no  longer  be  workable  for  new  systems  of 
computer  linkage  and  exchange  of  information  across  high- 
performance,  interactive  networks.  New  approaches  to  data 
protection  must  track  the  flow  of  the  data  itself. 

Finally,  the  Privacy  Protection  Study  Commission  stated  that  the 
confidentiality  of  the  doctor-patient  relationship  cannot  be  restored 
simply  by  placing  limitations  on  government  access  to  health 
records.  The  1977  report  of  the  Commission  explains  why  broader 
legislation  is  needed: 

If  a  record  keeper  has  the  discretion  to  disclose  volun- 
tarily, it  will  be  hard  for  record  keepers,  particularly  in 
heavily  regulated  sectors  such  as  banking,  to  resist  pres- 
sures for  "voluntar3r"  compliance  with  government  requests 
for  information.  Voluntary  disclosure  of  information  on  in- 
dividuals held  by  third  parties  must  be  limited  if  limita- 
tions on  compelled  disclosure  are  to  mean  anything.'^o 

The  Committee  concludes  with  a  great  deal  of  confidence  that  the 
time  has  come  for  a  federal  law  establishing  uniform  fair  informa- 
tion practices  for  health  information. 

Privacy  and  fair  information  practices 

In  1980,  the  Committee  on  Government  Operations  reported  a 
bill  titled  "Federal  Privacy  of  Medical  Information  Act."  The  1994 
legislation  is  titled  "Fair  Health  Information  Practices."  While 
there  are  many  similarities  in  purpose,  language,  and  effect  be- 
tween these  bills,  the  change  in  title  bears  some  significance. 

The  first  general  code  of  fair  information  practices  was  proposed 
by  an  Advisory  Committee  at  the  Department  of  Health,  Education, 
&  Welfare  in  1973.^ ^  The  notion  of  fair  information  practices  has 
grown  in  importance,  forming  the  basis  for  a  common  set  of  prin- 
ciples for  privacy  (or  data  protection  '^^)  laws  around  the  world.  One 
formulation  of  a  code  of  fair  information  practices  is: 


^  OTA  Medical  Privacy  Report  at  9-10  (original  emphasis). 
■'OPPSC  Report  at  351. 

"Department  of  Health,  Education,  &  Welfare,  "Secretary's  Advisory  Committee  on  Auto- 
mated Personal  Data  Systems,  Records,  Computers,  and  the  Rights  of  Citizens"  (1973)  [herein- 
after cited  as  "HEW  Report"].  For  a  discussion  of  the  importance  of  the  work  of  the  Advisory 
Committee,  see  Gellman,  fragmented,  Incomplete,  and  Discontinuous:  The  Failure  of  Federal 
Privacy  Regulatory  Proposals  and  Institutions,"  VI  Software  Law  Journal  199,  209-212  (1993). 
There  is  evidence  of  the  simultaneous  development  of  almost  the  identical  concept  in  Britain 
by  the  Younger  Commission.  See  CoUn  J.  Bennett,  "Regulating  Privacy:  Data  Protection  and 
Public  Pohcy  in  Europe  and  the  United  States"  99  (1992). 

^2 "Data  protection  is  a  more  precise  way  of  referring  to  privacy  values  that  arise  in  connec- 
tion with  the  collection,  use,  and  dissemination  of  personail  information.  See  David  Flaherty, 
"Protecting  Privacy  in  Surveillance  Societies"  11  (1989)  ("Under  the  broad  rubric  of  ensuring  pri- 
vacy, the  primary  purpose  of  data  protection  is  the  control  of  surveillance  of  the  public,  whether 
this  monitoring  uses  tne  data  bases  of  governments  or  of  the  private  sector.")  [hereinafter  cited 
as  "Flaherty."  See  also  137  Congressional  Record  H  755  (Jan.  29,  1991)  (Statement  of  Rep.  Bob 
Wise  upon  the  introduction  of  the  Data  Protection  Act  of  1991,  H.R.  685,  102nd  Cong.). 


(1)  The  Principle  of  Openness,  which  provides  that  the  exist-; 
ence  of  record-keeping  systems  and  databanks  containing  data  it 
about  individuals  be  publicly  known,  along  with  a  description  \ 
of  main  purpose  and  uses  of  the  data.  i 

(2)  The  Principle  of  Individual  Participation,  which  provides  ^ 
that  each  individual  should  have  a  right  to  see  any  data  about  li 
himself  or  herself  and  to  correct  or  remove  any  data  that  is  not  ii 
timely,  accurate  relevant,  or  complete.  f 

(3)  The  Principle  of  Collection  Limitation,  which  provides  |i 
that  there  should  be  limits  to  the  collection  of  personal  data, 
that  data  should  be  collected  by  lawful  and  fair  means,  andf 
that  data  should  be  collected,  where  appropriate,  with  the ; 
knowledge  or  consent  of  the  subject.  [ 

(4)  The  Principle  of  Data  Quality,  which  provides  that  per-  \, 
sonal  data  should  be  relevant  to  the  purposes  for  which  they  I 
are  to  be  used,  and  should  be  accurate,  complete,  and  timely.  [ 

(5)  The  Principle  of  Use  Limitation,  which  provides  that  i 
there  must  be  limits  to  the  internal  uses  of  personal  data  and  1 
that  the  data  should  be  used  only  for  the  purposes  specified  at ' 
the  time  of  collection.  I 

(6)  The  Principle  of  Disclosure  Limitation,  which  provides 
that  personal  data  should  not  be  communicated  externally  i 
without  the  consent  of  the  data  subject  or  other  legal  author- 
ity. 

(7)  The  Principle  of  Security,  which  provides  that  personal 
data  should  be  protected  by  reasonable  security  safeguards 
against  such  risks  as  loss,  unauthorized  access,  destruction, 
use,  modification  or  disclosure.  Sufficient  resources  should  be 
available  to  offer  reasonable  assurances  that  security  goals  will 
be  accomplished. 

(8)  The  Principle  of  Accountability,  which  provides  that 
record  keepers  should  be  accountable  for  compljdng  with  fair 
information  practices. 

There  are  several  reasons  why  a  code  of  fair  information  prac- 
tices bill  has  been  proposed  rather  than  a  privacy  bill.  First,  pri- 
vacy is  a  broad  and  sometimes  vague  concept,  with  many  different  i 
elements  depending  on  the  context."^^  On  the  other  hand,  fair  infor-  j 
mation  practices  are  more  specific  and  more  narrowly  focused  on  ' 
the  protection  and  appropriate  use  of  personal  information.  Protec-  ' 
tion  of  identifiable  health  information  is  the  goal  of  the  legislation.  | 

Second,  it  is  apparent  to  anyone  who  views  the  modem  health  ' 
care  system  that  health  records  are  not  strictly  "private."  There  are 
simply  too  many  governmental  agencies  and  other  institutions  that 
use  identifiable  health  records  to  accomplish  important  objectives, 
including  protection  of  public  health,  cost  containment,  health  re- 
search, and  fraud  prevention.  While  it  may  be  unfortunate,  it  is 


'3  This  statement  of  fair  information  practices  is  derived  from  many  sources,  including  HEW 
Report;  Organization  for  Economic  Cooperation  and  Development,  "Gmdelines  on  the  Protection 
of  Privacy  and  Transborder  Flows  of  Personal  Data"  (1981);  Council  of  Europe,  "Convention  for 
the  Protection  of  Individuals  With  Regard  to  Automatic  Processing  of  Personad  Data"  (1981).  The 
latter  two  documents  are  reprinted  in  "Data  Protection,  Computers,  and  Changing  Information 
Practices,"  hearing  before  the  Subcomm.  on  Government  Information,  Justice,  and  Agriculture, 
House  Comm.  on  (government  Operations,  101st  Cong.,  2d  Sess.  (1990).  See  also  "OTA  Medical 
Privacy  Report"  at  77-9. 

'''♦There  is  no  universally  agreed  upon  definition  for  "privacy"  and  "confidentiality."  For  one 
view  of  these  terms,  see  "lOM  Health  Data  Report"  at  chapter  4,  pages  6-13. 
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\  jtrue  that  much  health  information  is  no  longer  shared  only  be- 
1  jtween  doctor  and  patient.  In  the  last  decade  of  the  twentieth  cen- 

I  tury,  it  is  simply  not  possible  to  propose  legislation  that  can  prom- 
i  jise  that  health  information  will  be  absolutely  private.  What  can 
t  land  must  be  guaranteed  to  each  patient  is  that  his  or  her  health 
t  j  information  will  be  used  fairly  and  disclosed  only  when  necessary. 

jFair  information  practices  for  health  information  can  be  provided 
i  I  even  though  absolute  privacy  cannot. 

[  \  Findings  and  purposes 

'  I  Because  of  the  restructuring  that  was  necessary  when  the  Fair 
I  Health  Information  Practices  Act  (H.R.  4077)  was  added  as  the 

■  Fair  Health  Information  Practices  Part  of  H.R.  3600,  the  findings 
and  purposes  were  omitted.  They  remain  relevant  to  the  legislation 
and  are  reproduced  here. 

I      Findings. — ^The  Congress  finds  as  follows: 

(1)  The  right  to  privacy  is  a  personal  and  fundamental  right 
j       protected  by  the  Constitution  of  the  United  States. 

(2)  The  improper  use  or  disclosure  of  individually  identifiable 
I  I       health  information  about  an  individual  may  cause  significant 

I  harm  to  the  interests  of  the  individual  in  privacy  and  health 
care,  and  may  unfairly  affect  the  ability  of  the  individual  to  ob- 
tain emplo3nnent,  education,  insurance,  credit,  and  other  neces- 
sities. 

(3)  Current  legal  protections  for  health  information  vary 
from  State  to  State  and  are  inadequate  to  meet  the  need  for 
fair  information  practices  standards. 

I  (4)  The  use,  maintenance,  and  disclosure  of  health  informa- 

i  tion  affects  interstate  commerce  because  of  the  movement  of 
individuals,  health  care  providers,  and  health  information 
across  State  lines;  access  to  and  transfer  of  health  information 
from  automated  data  banks  and  interstate  telecommunications 
and  computer  networks;  the  exchange  of  health  information 
through  the  mail;  and  the  provision  of  and  pa3anent  for  health 
care  through  interstate  means. 

(5)  Uniform  rules  governing  the  use,  maintenance,  and  dis- 
closure of  health  information  are  an  essential  part  of  health 
care  reform,  are  necessary  to  support  the  computerization  of 
health  information,  and  can  reduce  the  cost  of  providing  health 
services  by  making  the  necessary  transfer  of  health  informa- 
tion more  efficient. 

(6)  There  is  a  compelling  need  for  uniform  Federal  law, 
rules,  and  procedures  governing  the  use,  maintenance,  and  dis- 
closure of  health  information. 

!  (7)  Individuals  need  access  to  their  health  information  as  a 

I  matter  of  fairness,  to  enable  the  individual  to  make  informed 
I  decisions  about  health  care,  and  to  correct  inaccurate  or  incom- 
j       plete  information. 

I    (b)  Purposes. — The  purposes  of  this  Act  are  as  follows: 

I  (1)  To  define  the  rights  of  an  individual  with  respect  to 

health  information  about  the  individual  that  is  created  or 
'       maintained  as  part  of  the  health  care  treatment  and  payment 

process. 


! 
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(2)  To  define  the  rights  and  responsibilities  of  a  person  who 
creates  or  maintains  individually  identifiable  health  informa- 
tion that  originates  or  is  used  in  the  health  treatment  or  pay-  j 
ment  process.  ' 

(3)  To  establish  effective  mechanisms  to  enforce  the  rights  j 
and  responsibilities  defined  in  this  Act. 

Hearings  on  Fair  Health  Information  Practices  i 

On  November  4,  1993  the  Subcommittee  on  Information,  Justice,  ' 
Transportation,  and  Agriculture  held  a  public  hearing  on  Health  \ 
Reform,  Health  Records,  Computers  and  Confidentiality.  The  wit-  i 
nesses  at  this  hearing  were:  Paula  J.  Bruening,  Project  Director  | 
and  Legal  Analyst,  Office  of  Technology  Assessment;  Robert  John-  1 
son,  American  Hospital  Association,  Vice  President  and  Greneral 
Counsel,  Catholic  Healthcare  West;  Dr.  Donald  Lewers,  Board  of  | 
Trustees,  American  Medical  Association;  Janlori  Groldman,  Direc-  i 
tor.  Privacy  and  Technology  Project,  American  Civil  Liberties  | 
Union;  Kathleen  Frawley,  Director,  Washington,  D.C.  Office,  Amer-  ' 
ican  Health  Information  Management  Association;  Dennis  I 
Drislane,  President,  Health  Care  Division,  EDS. 

On  April  20,  1994  the  Subcommittee  held  a  public  hearing  on  the 
Fair  Health  Information  Practices  Act  of  1994  (H.R.  4077).  The  wit- 
nesses at  this  hearing  were:  Representative  Nydia  Velazquez  (D- 
NY);  Nan  D.  Hunter,  Deputy  General  Counsel,  Department  of 
Health  and  Human  Services;  Dr.  Alan  Westin,  Professor  of  Public 
Law  and  Government,  Columbia  University;  John  Baker,  Senior 
Vice  President,  Equifax,  Inc. 

On  May  4,  1994  the  Subcommittee  held  a  public  hearing  on  the 
Fair  Health  Information  Practices  Act  of  1994  (H.R.  4077).  The  wit- 
nesses at  this  hearing  were:  Dr.  Donald  Lewers,  Board  of  Trustees, 
American  Medical  Association;  Frederic  Entin,  Senior  Vice  Presi- 
dent and  General  Counsel,  American  Hospital  Association;  Joel  E. 
Gimpel,  Associate  General  Counsel,  Blue  Cross  and  Blue  Shield  As- 
sociation, Workgroup  on  Electronic  Data  Interchange;  Kathleen 
Frawley,  Director,  Washington,  D.C.  Office,  American  Health  Infor-j 
mation  Management  Association;  Dr.  Richard  Barker,  President,' 
Healthcare  Industries,  IBM;  Dr.  Martin  Sepulveda,  Director,  Occu- 
pational Health  Services,  IBM;  Robert  S.  Bolan,  Chairman,  Medic 
Alert  Foundation  International;  Professor  Paul  Schwartz,  Univer- 
sity of  Arkansas  (Fayetteville)  Law  School. 

On  May  5,  1994  the  Subcommittee  held  a  public  hearing  on  the 
Fair  Health  Information  Practices  Act  of  1994  (H.R.  4077).  The  wit- 
nesses at  this  hearing  were:  Representative  Thomas  C.  Sawyer  (D- 
OH),  Chairman,  Subcommittee  on  Census,  Statistics,  and  Postal 
Personnel;  Aimee  R.  Berenson,  Legislative  Counsel,  AIDS  Action 
Counsel;  Susan  Jacobs,  Staff  Attorney,  Legal  Action  Center;  Janlori 
Goldman,  Director,  Privacy  and  Technology  Project,  American  Civil 
Liberties  Union. 

Committee  Consideration  of  Fair  Health  Information 

Practices 

On  July  27,  1994,  the  Subcommittee  on  Information,  Justice, 
Transportation,  and  Agriculture,  a  quorum  being  present,  approved 
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by  voice  vote  an  amendment  offered  by  Subcommittee  Chairman 
Condit. 

On  July  27,  1994,  the  Committee  on  Government  Operations,  a 
quorum  being  present,  approved  by  voice  vote  the  amendment  as 
reported  by  the  Subcommittee,  with  an  additional  amendment  of- 
fered by  Mr.  Towns.  That  amendment  provided  rules  for  the  dis- 
position of  health  records  for  providers  and  others  who  have  gone 
out  of  business.  The  Committee  ordered  the  Subcommittee  amend- 
ment, as  amended,  reported. 

In  addition,  the  Committee  approved  by  voice  vote  an  amend- 
ment offered  by  Mr.  Thomas  that  amended  part  1  of  subtitle  B  of 
title  V.  The  amendment  encourages  the  development  of  a  distrib- 
uted electronic  data  network  for  purposes  of  establishing  uniform 
standards  for  the  electronic  transmission  of  financial,  administra- 
tive, and  clinical  data. 

It  requires  the  Secretary  of  Health  and  Human  Services  to  estab- 
lish standards  for  automating  health  care  data.  To  the  maximum 
extent  possible,  the  Secretary  shall  incorporate  standards  that  are 
currently  in  use  or  developed  by  private  standard-setting  organiza- 
tions, including  the  American  National  Standards  Institute  and  the 
Healthcare  Informatics  Standards  Planning  Panel.  This  require- 
ment is  consistent  with  Administration  policy  (e.g.,  OMB  Circular 
A-119). 

The  amendment  repeals  state  "Quill  Pen"  laws,  which  require 
that  health  records  be  maintained  in  written  form.  In  addition,  the 
amendment  authorizes  the  Secretary  of  Health  and  Human  Serv- 
ices to  support  demonstration  projects  in  rural  and  urban  areas  for 
the  purpose  of  accelerating  progress  in  the  area  of  electronically  in- 
tegrated, community-based  clinical  information  systems.  The  funds 
received  under  this  section  may  be  used  to  enhance  existing  tele- 
communications and  information  systems. 

Section-by-Section  Analysis  and  Discussion  of  Fair  Health 
Information  Practices 

section  5120.  DEFINITIONS. 

Section  5120  contains  definitions  relating  to  protected  health  in- 
formation, health  information  trustees,  and  other  definitions. 

"Protected  health  information"  is  one  of  the  key  terms.  The  basic 
requirements  of  the  Fair  Health  Information  Practices  part  apply 
to  protected  health  information.  There  are  essentially  three  re- 
quirements that  must  be  met  for  information  to  qualify  as  pro- 
tected health  information.  First,  the  information  must  be  created 
or  received  by  a  health  care  provider,  health  benefit  plan,  health 
oversight  agency,  or  health  information  service  organization  in  a 
state.  The  definition  does  not  cover  health  information  wherever 
situated.  Only  information  created  by  or  used  in  the  treatment  or 
payment  process  qualifies. 

Second,  information  only  qualifies  if  it  relates  in  any  way  to  the 
past,  present,  or  future  physical  or  mental  condition  or  functional 
status  of  an  individual,  the  provision  of  health  care  to  an  individ- 
ual, or  payment  for  the  provision  of  health  care  to  an  individual. 
Any  information  created  or  received  incident  to  the  provision  of 
health  care  or  incident  to  payment  for  health  care  is  covered.  If  a 
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physician  or  health  insurer  acquires  the  name,  identification  num- 
ber, employment  status,  address,  financial  data,  family  size,  edu- 
cation, employment  history,  or  any  other  t3rpe  of  demographic  infor-  i 
mation  about  a  patient  incident  to  the  provision  of  or  payment  for ' 
health  care,  that  information  qualifies  as  protected  health  informa- 1 
tion.  A  provider  or  insurer  cannot  divide  a  patient's  record  into 
health  and  non-health  matters  and  conclude  that  the  non-health  j 
portion  does  not  qualify  as  protected  health  information.  Even  the ' 
basic  fact  that  John  Doe  is  a  patient  of  Dr.  Jane  Smith  is  protected  | 
hegJth  information.  Any  information  conveyed  during  treatment  or 
consultation  or  related  in  any  way  at  all  to  health  care  or  health  i 
status  is  protected  health  information.  Information  that  is  other-  \ 
wise  public  or  seemingly  not  sensitive  is  protected  health  informa- 1 
tion  when  it  becomes  part  of  a  provider's  or  insurer's  record.  ] 

This  result  is  crucial  because  the  health  care  system  may  lead  j 
to  the  routine  collection  of  large  amounts  of  personal  information  i 
relating  directly  to  health  care,  health  status,  life  style,  and  enroll- ' 
ment  eligibility.  Eventually,  much  of  the  information  in  a  health  | 
record  will  be  computerized.  If  this  massive  databank — centralized, 
networked,  or  otherwise  linked  or  linkable — is  used  for  unrelated 
administrative,  law  enforcement,  or  other  purposes,  then  the  det- 
rimental effects  on  individual  privacy  and  on  the  relationship  be- 
tween physician  and  patient  will  be  significantly  compounded.  To 
the  greatest  extent  practicable,  data  collected  and  maintained  for 
use  in  the  health  care  treatment  and  payment  system  should  not ; 
be  available  for  other  purposes. 

Genetic  information  is  an  especially  sensitive  and  increasingly  ; 
important  component  of  protected  health  information.  The  role  of  i 
genetics  in  health  care  is  expanding  as  researchers  discover  the  ' 
genes  associated  with  many  health  conditions.  This  knowledge  will  : 
improve  the  ability  to  diagnose  existing  disorders  and  predict  late-  j 
onset  disorders,  to  determine  susceptibility  to  disorders  caused  by  | 
conditions  during  one's  lifetime,  and  to  treat  or  prevent  these  dis-  ' 
orders.  Increasingly,  genetic  information  about  individuals  will  be 
learned  before  they  are  born.  This  expanded  information  about  in-  | 
dividuals  will  also  pertain  to  their  offspring  and  other  blood  rel-  } 
atives.  The  sensitivity  of  genetic  information  cannot  be  overesti-  | 
mated.  In  addition  to  assisting  diagnosis  and  treatment,  genetic  in-  j 
formation  can  also  be  used  to  discriminate,  to  stigmatize,  and  to  re-  | 
duce  individuals'  control  over  their  lives.  | 

Information  about  an  individual's  genetic  characteristics  that  is 
created  or  received  by  a  health  information  trustee  in  connection  i 
with  health  care  or  payment  for  health  care  qualifies  as  protected  | 
health  information.  It  makes  no  difference  what  the  particular  ge-  | 
netic  characteristic  may  indicate.  Information  about  physical  fea-  j 
tures,  personality  characteristics,  likelihood  for  contracting  specific  ; 
diseases,  personality  or  other  traits  likely  shared  by  children  or  : 
other  relatives,  and  any  other  genetic  markers  qualify.  Even  if  | 
there  is  no  immediate  Imown  relationship  between  a  genetic  char- 
acteristic and  an  individual's  health,  information  derived  from  ge-  ' 
netic  testing  falls  within  the  definition  of  protected  health  informa-  ! 
tion. 

Genetic  information  can  identify  an  individual  in  two  distinct  \ 
ways:  (1)  as  with  other  kinds  of  medical  information,  genetic  infor- 
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mation  can  identify  an  individusd  by  including  the  individual's 
name  or  other  (nongenetic)  information  about  the  individual,  such 
as  the  social  security  or  other  identification  number,  or  vital  statis- 
tics about  the  individual;  or  (2)  genetic  information  can  be  used  for 
forensic  purposes  to  establish  a  blood  relationship  between  individ- 
uals, the  identity  of  a  dead  person,  or  the  likelihood  that  a  biologi- 
cal sample  recovered  at  a  crime  scene  came  from  a  particular  indi- 
vidual, by  comparing  biological  samples  at  the  molecular  level.  For 
the  purposes  of  this  part,  identification  is  used  in  the  first  of  these 
meanings,  that  is,  genetic  information  that  identifies  or  can  readily 
be  used  to  identify  an  individual  means  genetic  information  about 
an  individual  that  includes  the  individual's  name  or  other 
(nongenetic)  identifjdng  information.  - —   

The  third  requirement  that  must  be  met  for  health  information 
to  qualify  as  protected  health  information  is  that  an  individual  who 
is  a  subject  of  the  information  must  be  identifiable.  For  example, 
information  is  clearly  identifiable  if  it  includes  a  name,  social  secu- 
rity number  or  other  generally  known  or  readily  available  identi- 
fication number,  or  photograph.  Protected  health  information  will 
not  usually  include  data  that  is  completely  devoid  of  all  individ- 
ually identifiable  information,  data  about  physicians  or  hospitals, 
or  aggregate  data  compiled  for  statistical  use. 

Information  is  identifiable  if  there  is  a  reasonable  basis  to  believe 
that  the  information  can  be  used  to  identify  an  individual.  In  mak- 
ing an  assessment  of  reasonableness  under  the  Part,  it  may  be  nec- 
essary at  times  to  make  a  judgment  based  on  other  information 
that  is  available  to  a  recipient.  For  example,  most  people  cannot 
identify  an  individual  from  a  fingerprint.  A  law  enforcement  agen- 
cy, however,  must  be  presumed  to  have  that  capability.  There 
would,  therefore,  be  a  reasonable  basis  to  believe  that  disclosure  of 
a  record  with  a  fingerprint  to  a  law  enforcement  agency  could  be 
used  readily  to  identify  an  individual.  The  disclosure  of  the  same 
record  to  a  private  health  researcher  would  not  meet  the  test.^^ 

When  information  is  published,  however,  it  must  be  assumed 
that  the  data  may  be  seen  by  people  with  all  reasonably  known 
identification  capabilities.  This  standard  is  not  being  adopted  to 
change  the  current  policies  for  publication  of  research  articles.  A 
review  of  current  literature  suggests  that  a  test  of  reasonableness 
is  already  generally  in  use. 

The  release  of  non-unique  data  also  may  allow  the  identification 
of  particular  individuals.  For  example,  the  occupational  description 
"professional  athlete"  is  a  non-unique  identifier  as  is  the  diagnosis 
"amyotrophic  lateral  sclerosis".  There  are  many  individuals  who 
are  or  have  been  professional  athletes  and  some  individuals  who 
have  suffered  from  amyotrophic  lateral  sclerosis.  Yet  many  people 
could  tell  that  a  description  of  a  professional  athlete  with 
amyotrophic  lateral  sclerosis  referred  to  Lou  Gehrig. 

Lou  Gehrig  can  be  identified  from  the  above  description  because 
of  the  publicity  that  surrounded  his  illness.  An  equally  specific  de- 


'5  A  change  in  technology  or  in  the  availability  of  technology  would  make  a  difference  in  a 
determination  of  what  is  reasonable.  The  abiUty  to  identify  specific  individuals  from  hair,  blood, 
or  other  physical  samples  must  be  considered.  U*  databases  of^  fingerprints  or  hair  characteristics 
or  other  personal  data  are  maintained  and  become  available  to  potential  recipients,  then  this 
must  also  be  considered. 
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scription  in  another  case — a  bus  driver  with  cancer — would  be  truly; 
non-identifiable.  Even  if  the  bus  driver  were  identified  as  a  resi- 
dent of  New  York  City,  the  information  would  likely  remain  non-ii 
identifiable.  But  if  the  bus  driver  were  from  a  named  small  town,i 
a  different  conclusion  might  result. 

No  single  rule  can  define  what  constitutes  readily  identifiable 
data.  The  law  uses  a  standard  of  "reasonable  basis  to  believe".! 
When  assessing  the  reasonable  likelihood  of  identification,  trustees: 
who  disclose  any  information  about  a  patient  must  consider  all  of 
the  circumstances  of  the  disclosure,  including  the  specific  knowl- 
edge and  capabilities  of  any  reasonably  likely  recipients.  In  the?; 
case  of  genetic  information,  extra  consideration  to  the  issue  of  iden-.; 
tification  may  be  appropriate  because  the  comparison  of  genetic  in- 
formation about  different  individuals  may  lead  to  the  identification, 
of  one  or  more  of  those  individuals. 

The  remote  chance  that  somebody  might  possibly  be  able  to  iden- 
tify a  patient  from  a  general  description  does  not  meet  the  reason- 
able basis  to  believe  standard.  But  the  burden  of  justifying  the  dis- 
closure of  any  information  about  an  individual  falls  on  the  trustee 
making  the  disclosure.  No  extensive  factual  inquiry  is  necessary 
before  making  a  disclosure,  but  doubts  should  always  be  resolved 
in  favor  of  non-disclosure. "^^  Overall,  choices  about  what  can  be  dis- 
closed will  be  aided  by  the  considerable  body  of  work  done  in  this 
area  by  federal  statistical  agencies.'^'^ 

There  is  no  requirement  in  the  definition  of  "protected  health  in- 
formation" that  there  must  first  be  a  confidential  physician-patient 
relationship.  Sensitive  health  information  is  routinely  collected, 
created,  or  used  by  people  who  are  not  health  care  providers  but 
who  are  nevertheless  engaged  in  the  provision  of  or  pa3nnent  for 
health  care.  From  the  patient's  perspective,  the  information  is  no 
less  sensitive  or  less  deserving  of  protection  as  a  result.  In  some 
present  or  future  circumstances,  health  information  may  be  even 
provided  to  and  advice  may  be  offered  by  a  computer.  The  legisla- 
tion takes  the  position  that  the  patient's  interest  in  confidentiality 
is  the  same  in  all  of  these  situations.  Once  patient  specific  informa- 
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''^  One  difficult  ciraiTn stance  may  arise  when  information  on  specific  patient  encovmters  is  dis- 
closed with  identifiers  removed.  Normally,  data  of  this  type  will  not  be  considered  to  be  identifi- 
able. But  when  information  on  identified  patients  has  been  independently  placed  in  the  public 
domain,  it  may  be  possible  to  associate  the  name  of  a  pubhc  figure  witii  the  non-identifiable 
release.  For  example,  movie  star  John  Doe  enters  a  hospital  for  siirgery.  Basic  information  about 
the  type  of  surgery  and  location  of  the  treatment  is  released  with  the  consent  of  Mr.  Doe.  In 
addition,  Mr.  Doe's  age  may  be  pubUcly  available  fi-om  a  variety  of  sources,  including  possibly 
state  motor  vehicle  records.  Knowing  Mr.  Doe's  age  and  the  nature  and  location  of  the  treatment 
he  received  may  allow  an  enterprising  person  to  identify  Mr.  Doe's  record  from  a  computer  tape 
containing  thousands  of  patient  encounters.  The  nimiber  of  50  year  old  white  males  receiving 
heart  transplants  at  the  Hospital  of  the  University  of  Pennsylvania  on  January  11,  1994  is  like- 
ly to  be  very  small.  In  this  circumstance  where  ^e  patient  has  placed  into  ^e  pubhc  domain 
some  information  that  would  enable  otherwise  non-identifiable  data  to  be  associated  with  that 
patient,  the  patient  must  bear  the  risk  of  identification.  Extraordinary  or  impractical  measures 
to  remove  or  further  gmonjonize  routine  patient  encounter  data  are  not  reqiiired.  Nevertheless, 
the  release  of  fully  anonymized  patient  encounter  data  may  need  to  be  regulated  in  order  to 
hmit  the  abihty  of  even  casual  observers  to  link  these  records  v^ith  individuails. 

See,  e.g.,  Committee  on  National  Statistics,  "Private  Lives  and  Pubhc  PoUcies:  Confidential-  - 
ity  and  Accessibihty  of  Government  Statistics"  (1993)  (National  Research  Council).  The  Panel 
on  Confidentiahty  and  Data  Access  of  the  Committee  on  National  Statistics  recommended  con- 
tinued  government  work  on  this  issue.  Id.  at  155-157.  The  Panel  noted  that  zero-risk  require- 
ments for  disclosure  of  statistical  records  were  unrealistic  and  recommended  a  standard  that  ? 
calls  for  a  "reasonably  low  risk  of  disclosure  of  individusdly  identifiable  data."  Id.  at  137.  See 
also  Office  of  Management  and  Budget,  "Report  on  Statistical  Disclosure  Limitation  Methodol-  c 
ogy"  (1994)  (Statistical  PoUcy  Office). 
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tion  is  generated  by  or  becomes  part  of  the  health  care  treatment 
or  payment  process,  it  becomes  protected  health  information,  re- 
gardless of  the  existence  of  a  formal  doctor-patient  relationship  at 
the  time  of  creation  or  collection. 

The  term  "health  information  trustee"  identifies  those  who  are  in 
possession  of  protected  health  information  and  who  have  respon- 
sibilities under  the  Partes  This  new  term  has  been  used  to  avoid 
traditional  and  more  troublesome  terms  like  "owner  and  record 
keeper."  The  idea  of  ownership  of  personal  information  maintained 
by  third  party  record  keepers  is  not  particularly  useful  in  today's 
complex  world.'79  Any  suggestion  that  one  person  in  possession  of 
personal  information  about  another  individual  has  complete  domin- 
ion over  or  exclusive  rights  to  the  information  is  inaccurate,  mis- 
leading, and  unhelpful  to  any  fair  analysis  of  the  rights  and  obliga- 
tions of  all  of  the  interested  parties. This  is  Hkely  to  be  an  area 
in  which  new  legal  and  poUcy  principles  are  developed  in  the  near 
future  and  extended  to  other  types  of  records  about  individuals. 

The  Fair  Health  Information  Practices  Part  makes  it  clear  that 
both  the  trustee  of  protected  health  information  and  the  subject  of 
the  information  have  rights  and  responsibilities  with  respect  to 
data  about  the  subject,  l^ie  term  "trustee"  is  not  intended  to  be  in- 
terpreted in  the  strict  legal  sense  of  one  to  whom  property  is  le- 
gally committed  to  be  administered  for  the  benefit  of  another.  Since 
both  the  trustee  and  the  subject  have  rights  with  respect  to  the 
data,  the  term  trustee  should  be  read  in  its  general  sense  as  one 
to  whom  something  is  entrusted.  A  comparable  term  might  be  cus- 
todian in  the  sense  of  one  who  is  entrusted  with  guarding  and 
keeping  records. 

The  implication  that  protected  health  information  maintained  by 
a  trustee  is  sensitive  and  valuable  is  intentional,  as  is  the  implica- 
tion that  the  trustee  has  a  responsibility  to  look  after  the  interests 
of  others.  But  the  duties  and  responsibilities  of  trustees  are  only 
those  specified  in  the  Part.  The  Committee  cautions  against  any 
reading  of  the  term  "trustee"  to  imply  any  duties,  responsibilities. 


'8  Employers  are  not  covered  under  the  definition  in  their  role  as  employers.  An  employer 
will  nevertheless  qualify  as  a  health  information  trustee  providing  healtn  care  (i.e.,  first  aid) 
or  by  processing  claims  for  payment.  A  person  carrying  out  either  activity  becomes  a  health  in- 
formation trustee  with  respect  to  that  function  and  is  subject  to  the  applicable  provisions  of  the 
Part.  This  includes,  most  notably  in  this  context,  the  general  limits  on  use  and  disclosure  in 
section  5131.  A  trustee  may  only  use  or  disclose  protected  health  information  for  an  authorized 
pvirpose.  General  use  of  protected  health  information  by  an  employer  for  activities  unrelated  to 
the  purpxjse  for  which  the  information  was  collected  in  prohibited.  Thus,  use  of  treatment 
records  to  make  promotion  decisions  is  a  violation.  Other  laws,  such  as  the  Americans  With  Dis- 
abilities Act,  may  prohibit  discriminatory  or  other  use  of  the  information  as  well.  See  also, 
Frawley  &  Waller,  "Building  a  Chinese  Wall:  Protecting  Employee  Health  Care  Data,"  2 
DataLaw  Report  1  (July  1994). 

See  generally  Branscomb,  "Who  Ovms  Information?"  (1994). 

80  The  Supreme  Court's  decision  in  U.S.  v.  Miller,  425  U.S.  435  (1976)  is  especially  unhelpful. 
See  the  discussion  of  Miller  elsewhere  in  this  report.  The  pwint  being  made  here  is  broader  than 
the  proper  interpretation  of  the  Fourth  Amendment's  restrictions  on  governmental  action.  Third 
parties  maintain  tremendous  amounts  of  information  on  individuals.  In  the  words  of  Professor 
David  Flaherty,  "[I]ndividuals  in  the  Western  world  are  increasingly  subject  to  surveillance 
through  the  use  of  data  bases  in  the  public  and  private  sectors  *  *  ♦  Flaherty  at  1.  The  notion 
that  of  this  personal  information  can  be  used  or  redisclosed  by  the  third  party  record  keepers 
without  any  regard  for  the  interest  of  the  subject  of  the  information  is  old-fashioned,  unreason- 
able, and  not  reflective  of  ^e  large  volume  of  information  maintained  or  the  consequences  of 
the  uses.  The  subject  of  the  record  lias  a  clear  interest  in  the  information  and  that  interest  must 
be  taken  into  accoimt.  This  bill  deUberately  avoids  any  reliance  on  the  "ownership"  or  "posses- 
sion" approach  to  defining  the  rights  of  record  subjects. 
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or  rights  not  specifically  enumerated  in  the  Fair  Health  Informa- 
tion Practices  Part.  . 

The  terms  "carrier,  health  benefit  plan,"  and  "health  benefit  plant 
sponsor"  are  intended  to  cover  those  who  provide  any  type  of  health! 
insurance  or  conduct  any  type  of  health  insurance  enrollment  func-[| 
tion.  The  terms  include  those  who  provide  self-insurance  as  well  asj 
those  who  provide  insurance  to  others.  The  intent  is  to  be  as  broad-j 
ly  encompassing  as  possible.  Also  included  are  insurance  plans  forE 
accident,  dental,  vision,  disability  income,  and  long  term  care;  Med-| 
icare  supplemental  health  insurance;  coverage  issued  as  a  supple-j) 
ment  to  liability  insurance;  liability  insurance,  including  general  li- 
ability insurance  and  automobile  liability  insurance;  worker's  com-^, 
pensation  and  similar  insurance;  automobile  medical-payment  in-j| 
surance;  coverage  for  specific  diseases  or  illnesses;  and  hospital  orl 
fixed  indemnity  policies.  J 

The  term  "health  oversight  agency"  covers  institutions  that  uti-| 
lize  protected  health  information  in  the  course  of  canning  out  ac-i 
tivities  that  relate  to  the  management  or  supervision  of  the  health  | 
care  system.  Those  engaged  in  licensing,  accreditation,  or  certifi-j 
cation  of  hospitals,  physicians,  or  other  health  care  providers  arej 
health  oversight  agencies.  Also  included  are  those  federal  or  state  | 
agencies  (and  those  acting  on  behalf  of  such  agencies)  who  perform  j 
audits,  assessments,  evaluations,  determinations,  or  investigations) 
relating  to  the  effectiveness  of,  compliance  with,  or  applicability  of,j 
legal,  fiscal,  medical,  or  scientific  standards  or  aspects  of  perform- ^ 
ance  related  to  the  delivery  of  or  pa3rment  for  health  care.  | 

For  example,  the  Office  of  Inspector  General  (OIG)  at  the  Depart- 
ment of  Health  and  Human  Services  uses  health  records  in  its 
oversight  and  law  enforcement  roles  with  respect  to  programs  con-S 
ducted  or  funded  by  the  Department  of  Health  and  Human  Serv-s 
ices.  As  a  health  oversight  agency,  in  its  conduct  of  these  particular 
activities,  it  would  have  access  to  records  held  by  health  benefit 
plans,  health  care  providers,  other  health  oversight  agencies,  and 
health  information  service  organizations,  as  necessary,  under  sec-j 
tion  5133. 

The  OIG  reviews  patient  records  to  validate  diagnosis,  treat- 
ment, and  other  patient  specific  medical  information  relative  to  fed- 
erally financed  health  programs.  The  OIG  also  needs  access  to  pa-  p 
tient  specific  health  records  to  assist  in  performance  audits,  inspec- 
tions, and  evaluations  related  to  OIG  oversight  responsibilities  for 
Peer  Review  Organizations  (under  title  XI,  part  B  of  the  Social  Se-  i 
curity  Act),  carriers  and  intermediaries  in  the  Medicare  program,  li 
and  State  Medicaid  agencies.  The  Office  also  conducts  audits  and 
evaluations  of  federally  operated  health  facilities  and  clinics  and 
federally  financed  clinical  research — ^including  instances  of  con-  L 
tracted  health  services  and  supplies  provided  wholly  or  in  part  by 
the  Federal  government.  ^ 

The  inquiries  are  intended  to  detect  a  wide  range  of  improper  ac-  f 
tivities  with  respect  to  the  health  care  system.  They  may  result  in  J 
criminal  and  civil  prosecutions  and  administrative  sanctions  for 
conduct  such  as  billing  for  services  not  provided;  manipulation  of  ^ 
diagnosis  coding;  misrepresentation  of  services  rendered;  provision  ■ 
of  unnecessary  or  poor  quality  health  care;  and  violation  of  patient  I 
dumping  laws  by  hospitals  and  clinics.  , 
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The  term  "protected  individual"  is  used  to  describe  those  individ- 
uals who  are  the  subject  of  protected  health  information  and  who 
have  rights  under  the  Fair  Health  Information  Practices  Part.  The 
term  includes  all  living  individuals  and  those  who  died  within  the 
last  two  years.  Developing  rules  governing  the  records  of  deceased 
individuals  is  not  a  simple  or  obvious  task.8i  Extending  full  protec- 
tion to  these  records  forever  is  expensive  and  unnecessary.  Ending 
protection  at  the  moment  of  death  is  equally  unattractive.  A  bal- 
ance between  the  two  extreme  alternatives  is  appropriate,  and  the 
two  year  period  was  selected  as  a  reasonable  middle  ground.  For 
all  but  a  handful  of  individuals,  any  general  interest  in  their  medi- 
cal condition  will  have  been  extinguished  before  the  expiration  of 
the  two  year  period.  At  the  end  of  this  period,  health  records  do 
not  become  public  documents.  Health  information  trustees  may 
continue  to  apply  their  own  appropriate  confidentiality  rules  and 
procedures  to  the  records  and  provide  protections  for  records  for  a 
longer  period. 

The  term  "affiliated  person"  is  used  to  cover  a  wide  variety  of 
people  who  are  allowed  to  have  access  to  protected  health  informa- 
tion by  health  information  trustees.  The  purpose  is  to  bring  within 
the  scope  of  the  Part  those  persons  who  perform  services  on  behalf 
of  health  information  trustees  but  who  are  not  trustees  themselves 
or  employees  of  trustees. 

The  concept  of  affiliated  person  is  important  because  it  allows  a 
trustee  to  carry  on  its  activities  and  operations  as  it  sees  fit  while 
providing  a  method  that  will  continue  the  protection  of  any  pro- 
tected health  information  that  must  be  shared  with  others  as  a  re- 
sult of  those  activities  and  operations.  Except  where  otherwise  spe- 
cifically provided,  protected  health  information  used  or  disclosed  by 
a  health  information  trustee  remains  subject  to  the  protections  of 
the  Part  whether  the  data  is  shared  with  another  trustee  or  other 
party.  The  other  party  will  normally  be  an  sifTiliated  person  and 
will  be  subject  to  the  Part's  provision.  This  is  consistent  with  the 
philosophy  of  the  Fsdr  Health  Information  Practices  Part  that  pro- 
tected health  information  usually  remains  covered  no  matter  where 
it  goes  or  who  has  access. ^2 

By  definition,  an  affiliated  person  must  be  someone  who  is  not 
a  health  information  trustee  in  its  relationship  with  the  trustee 
who  is  providing  access  to  the  protected  health  information.  As  a 
result,  it  is  possible  that  the  same  person  may  be  a  health  informa- 
tion trustee  in  one  context  and  an  affiliated  person  in  another.  This 
is  best  illustrated  by  an  example. 

Consider  a  health  care  provider,  a  health  insurer,  and  a  com- 
puter service  firm.  If  the  provider  contracts  with  a  computer  serv- 


*'The  traditional  view  is  that  privacy  is  a  right  of  living  individuals  and  one  that  does  not 
extend  beyond  death.  See  American  Civil  Liberties  Union  Foundation,  "Litigation  under  the 
Federal  Open  Government  Laws"  (1993)  ("The  weight  of  the  authorities  is  that  the  personal  pri- 
vacy interests  protected  by  Exemptions  6  and  7(C)  [of  the  Freedom  of  Information  Act]  lapse 
upon  the  death  of  the  individual."  Id.  at  129.).  There  is  some  case  law  that  has  held  that  surviv- 
ing family  members  may  have  cognizable  privacy  interests  in  government  records  related  to  the 
death  of  a  loved  one.  This  is  not  actually  the  same  interest  as  is  recognized  under  the  FOIA. 
For  example,  an  individual  has  no  standing  to  object  to  the  release  of  embarrassing  or  shocking 
information  by  a  living  relative.  The  two  year  rule  set  out  in  section  5120  should  be  viewed  as 
an  exception  to  the  traditional  view  of  privacy.  It  is  not  intended  to  suggest  the  need  to  change 
the  law  in  other  areas. 

82  The  exceptions  to  this  policy  include  information  disclosed  to  the  patient,  information  dis- 
closed to  next  of  kin,  and  directory  information  that  is  disclosable  to  anyone. 
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ice  firm  to  process  protected  health  information  on  behalf  of  the ; 
provider,  the  computer  service  firm  will  be  an  affiliated  person  of 
the  provider.  When  the  provider  (either  directly  or  through  the 
computer  service  firm)  sends  claims  information  to  the  health  in- , 
surer  for  reimbursement,  the  health  insurer  is  a  health  information  ! 
trustee  who  receives  information  pursuant  to  the  provision  of  the ' 
bill  that  authorizes  disclosures  for  the  purpose  of  providing  for  pay- 
ment. 

If  the  provider  contracts  with  the  insurer  for  computer  services  I 
not  directly  related  to  the  pajrment  process,  the  insurer  will  be  an  i 
affiliated  person  with  respect  to  the  provision  of  those  services  and  j 
with  respect  to  the  associated  data  disclosure.  The  insurer  will  re-  i 
main  a  health  information  trustee  with  respect  to  its  payment  rela- 1 
tionship  to  the  provider. 

This  is  not  as  complex  or  as  unusual  as  it  may  appear  at  first  i 
glance.  For  example,  a  physician  may  be  a  health  care  provider  | 
with  respect  to  one  individual,  a  researcher  with  respect  to  an- 1 
other,  an  administrator  with  respect  to  other  patients,  and  the  next  | 
of  kin  of  another  individual.  Similarly,  a  telephone  company  may  | 
have  different  relationships  with  other  telephone  companies.  In  one  , 
context,  the  company  may  be  a  regular  customer  of  a  second  tele- 1 
phone  company.  In  another  context,  the  relationship  may  be  that . 
of  an  inter-exchange  carrier.  In  each  relationship,  the  rights  and 
obligations  are  different.  Correspondingly,  a  hospital  may  be  an  j 
employer  of  an  individual  in  one  context  and  a  health  care  provider 
in  another. 

An  affiliated  person  also  must  be  a  contractor,  subcontractor,  as-  i 
sociate,  or  subsidiary  of  a  health  information  trustee  and  must,  | 
pursuant  to  an  agreement  or  other  relationship  with  the  trustee, ' 
receive,  create,  use,  maintain,  or  transmit  protected  health  infor- 
mation. A  person  does  not  become  an  affiliated  person  simply  by  | 
virtue  of  any  type  of  contractual  relationship  with  a  trustee.  For  ' 
example,  a  person  hired  to  paint  the  walls  of  a  hospital  does  not  | 
become  an  affiliated  person  unless  some  type  of  access  to  protected  | 
health  information  is  involved.  Thus,  a  painter  of  a  public  area  in  } 
a  hospital  would  not  normally  be  an  affiliated  person.  However,  a  j 
person  hired  to  paint  a  hospital's  record  room  who  is  required  to  | 
move  patient  files  while  painting  would  be  an  affiliated  person  be- 1 
cause  access  to  those  records  is  possible.^^  i 

A  health  care  provider  or  other  health  information  trustee  may  ! 
have  a  variety  of  relationships  with  service  providers  who  have  ac- 
cess to  protected  health  information.  When  there  is  a  contract,  as  \ 
there  would  be  with  a  computer  service  provider,  it  is  easy  to  iden-  j 
tify  the  relationship  with  the  affiliated  person.  With  a  regulated  I 
service  like  telephone  service,  there  may  be  a  contract  or  a  tariff.^'^  i 


painter  who  merely  had  to  pass  through  the  record  room  on  the  way  to  another  location  ! 
would  not  have  to  be  treated  as  an  affiliated  person.  Similarly,  a  fireman  who  may  enter  a  hos-  j 
pital  record  room  while  putting  out  a  fire  does  not  become  an  affiUated  person.  Brief,  incidental,  j 
or  theoretical  access  to  records  does  not  make  a  person  an  affiliated  person  under  the  Act. 

In  the  case  of  the  painter  passing  through  the  record  room,  the  presence  of  supervision  that  I 
would  prevent  the  possibility  of  access  to  patient  records  would  be  another  factor  su^esting  ' 
that  no  access  to  actual  records  was  part  of  the  painter's  function  and  therefore  no  affiUated  ! 
person  relationship  was  created.  The  affiliated  person  concept  should  be  applied  in  a  reasonable 
manner,  with  the  focus  being  on  whether  access  to  identifiable  records  is  a  part  of  the  activity 
involved.  j 

^'♦It  is  possible  that  a  tariff  might  be  wholly  sufficient  to  define  the  role  of  an  affiliated  person^ 
vmder  the  bill.  Consider,  for  instance,  a  common  carrier  telephone  service  provider  that  is  reM 
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But  things  are  not  always  as  clear.  As  a  result,  the  definition  of 
"affiliated  person"  has  been  deliberately  left  open-ended  and 
nonformal. 

The  affiliated  person  may  be  someone  associated  with  a  trustee 
but  who  does  not  have  a  formal  legal  relationship.  For  example,  a 
medical  student  or  hospital  volunteer  may  be  an  affiliated  person 
although  neither  may  have  a  contract  with  the  hospital.  Employees 
of  physicians  or  other  providers  located  in  a  hospital  but  who  are 
not  themselves  employees  of  the  hospital  may  be  affiliated  persons 
if  they  have  access  to  hospital  patient  records.  In  these  instances, 
the  affiliated  persons  may  be  subject  to  the  same  protected  health 
information  rules,  training,  and  procedures  as  direct  hospital  em- 
ployees.85 

Affiliated  persons  will  include  a  wide  range  of  private  organiza- 
tions such  as  service  bureaus,  third  party  administrators,  claims 
processors,  auditors,  and  others  who  collect,  automate,  retain  and 
use  protected  health  information  to  provide  services  to  trustees. 
The  emergence  of  health  information  organizations  is  a  response  to 
needs  of  trustees.  The  Fair  Health  Information  Practices  Part  is 
not  intended  to  control  the  development  of  these  organizations;  it 
is  only  intended  to  control  use  of  protected  health  information. 

An  affiliated  person,  like  an  employee  of  a  trustee,  does  not  have 
unlimited  access  to  protected  health  information.  Access  is  still  reg- 
ulated by  the  general  principle  that  all  uses  and  disclosures  must 
be  limited  when  practicable  to  the  minimum  amount  of  information 
necessary  to  accomplish  the  purpose  for  which  the  information  is 
used  or  disclosed. 

The  term  "health  care"  is  broadly  defined  in  the  bill  to  include 
any  preventive,  diagnostic,  therapeutic,  rehabilitative,  mainte- 
nance, or  palliative  care,  counseling,  service,  or  procedure  with  re- 
spect to  (I)  the  physical  or  mental  condition  or  functional  status  of 
an  individual  or  (II)  affecting  the  structure  or  function  of  the 
human  body  or  any  part  of  the  human  body,  including  the  banking 
of  blood,  sperm,  organs,  or  any  other  tissue.  The  term  also  includes 
any  sale  or  dispensing  of  a  drug,  device,  equipment,  or  other  item 
to  an  individual,  or  for  the  use  of  an  individual,  pursuant  to  a  pre- 
scription. 

The  term  is  intended  to  be  broadly  encompassing  and  to  include 
the  results  of  genetic  tests  on  an  individual  or  his  or  her  future  off- 
spring. With  the  ability  to  conduct  genetic  tests  that  may  indicate 
information  about  future  offspring,  a  narrow  interpretation  could 
exclude  the  results  of  such  genetic  tests.  This  is  not  the  intent  of 
the  legislation.  Such  genetic  tests  clearly  fall  within  the  scope  of 
preventive,  diagnostic,  or  therapeutic  care,  counseling,  service,  or 
procedure.  (Jenetic  counseling  is  also  included  within  the  definition 
of  health  care. 


stricted  by  tariff,  regulation,  or  statute  from  access  to  or  use  of  the  content  of  a  telephone  call. 
A  trustee  may  find  that  the  role  of  the  telephone  service  provider  with  respect  to  any  protected 
health  information  transmitted  in  such  a  call  is  fully  described  as  a  result.  Any  possible  duty 
or  authority  of  an  affiliated  person  may  be  foreclosed  by  a  lack  of  effective  access  to  the  underly- 
ing data.  If  not,  a  supplemental  agreement  may  be  reauired. 

*5  Formal  non-disclosure  agreements  between  healtn  care  facilities  and  students,  volunteers, 
contractors,  and  vendors  are  not  unusual.  For  examples  of  these  agreements,  see  Brandt,  Main- 
tenance, Disclosure,  and  Redisclosure  of  Health  Information  (American  Health  Information 
Management  Association)  (1993). 
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The  definition  of  "health  care"  excludes  any  item  or  service  that : 
is  not  furnished  for  the  purpose  of  maintaining  or  improving  the, 
health  of  an  individual.  TTiis  exclusion  is  intended  to  cover  the  col- 1 
lection  of  health  information  outside  of  a  treatment  relationship  or' 
the  payment  process.  For  example,  information  about  an  Individ- 1 
ual's  physical  condition  that  is  collected  by  a  physician  during  an 
examination  conducted  on  behalf  of  a  life  insurance  company  as! 
part  of  an  application  for  life  insurance  does  not  fall  within  the  def- ' 
inition  because  the  physician  is  not  providing  treatment.  The  phy- 1 
sician  is,  instead,  collecting  information  with  the  consent  of  the  in- 1 
dividuaJ  for  transmission  to  a  third  party.  Likewise,  information  i 
about  an  individual's  physical  condition  collected  by  a  researcher  in ; 
the  course  of  research  when  no  treatment  is  provided  would  not  fall ; 
within  the  definition.^^  There  is  no  physician-patient  relationship,] 
no  expectation  of  confidentiality  under  the  Part,  and,  more  impor- 1 
tantly,  no  treatment.  Similarly,  information  about  medical  condi-i 
tion  shared  with  a  hairdresser  ("My  hair  is  falling  out  because  of  | 
radiation  treatments  for  cancer")  is  not  covered  because  there  is  no  | 
nexus  to  health  treatment  or  payment.  , 

When  there  is  a  treatment  relationship,  all  information  gen- ; 
erated,  collected,  or  retained  pursuant  to  the  treatment  is  part  of  | 
the  health  care  process  and  falls  within  the  scope  of  the  definition. , 
The  definition  should  not  be  read  so  that  specific  items  of  informa- ' 
tion  can  be  determined  not  to  be  for  treatment  while  other  items  | 
fall  within  the  definition.  i 

The  terms  "disclosure"  and  "use"  are  employed  to  refer  to  the  ^ 
sharing  of  protected  health  information  by  a  health  information  j 
trustee.  A  use  occurs  when  a  health  information  trustee  utilizes ' 
protected  health  information  or  provides  access  to  an  officer,  em- ' 
ployee,  or  affiliated  person  of  the  trustee.  A  disclosure  occurs  when  j 
access  to  protected  health  information  is  provided  to  any  other  per-  j 
son.  In  essence,  the  bill  distinguishes  between  internal  uses  and  I 
external  disclosures.  When  protected  health  information  is  provided  | 
to  the  individual  who  is  the  subject  of  the  information,  the  access  | 
is  neither  a  use  nor  a  disclosure.  ; 

The  bill  sets  out  all  of  the  disclosures  that  a  health  information  | 
trustee  is  authorized  to  make.  Permissible  uses  are  determined  by  | 
the  application  of  a  standard  set  out  in  section  5131  of  the  bill.  The  | 
distinction  between  internal  uses  and  external  disclosures  will  not  | 
always  be  obvious.  Consider  a  hospital  that  is  affiliated  with  a  uni- 
versity. Access  to  protected  health  information  by  the  executive  di- 
rector of  the  hospital  in  connection  with  management  of  the  hos- 
pital would  be  an  internal  use.  The  determination  is  harder  when 
considering  the  possibility  of  access  by  the  president  of  the  univer- 
sity, counsel  to  the  university  (as  distinguished  from  counsel  to  the 
hospital),  or  university  fund  raisers.  Whether  any  of  these  people 
can  justify  access  to  information  under  the  standards  of  the  Fair 
Health  Information  Practices  Part  is  a  separate  question.  The  ini- 
tial question  is  whether  to  consult  the  list  of  permissible  external 
disclosures  or  to  consult  the  rules  for  evaluating  internal  uses. 


8^  Researchers  may  be  bound  by  other  confidentiaUty  laws  or  by  their  own  agreements  with 
patients.  Nothing  here  is  intended  to  suggest  that  these  obUgations  may  be  ignored.  The  point 
is  that  the  Fair  Health  Information  Practices  Part  does  not  apply  unless  the  information  is  col- 
lected for  treatment. 
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In  the  case  of  the  university  and  university  hospital,  the  issue  of 
internal  versus  external  depends  on  how  the  trustee  qualifies  as  a 
trustee.  The  hospital  is  a  health  information  trustee  because  it  is 
a  health  care  provider.  The  rest  of  the  university  does  not  provide 
health  care  and  should  not  be  considered  as  part  of  the  same  entity 
for  purposes  distinguishing  between  use  and  disclosure.  It  is  pos- 
sible, however,  that  other  parts  of  the  university  could  qualify  as 
affiliated  persons.  For  example,  the  counsel  to  the  university  might 
be  an  affiliated  person  if  supporting  a  function  of  the  hospital  that 
requires  access  to  identifiable  health  information.  However,  if  the 
counsel  is  seeking  protected  health  information  to  carry  out  an  un- 
related activity  of  the  university,  then  the  access  would  have  to  be 
evaluated  as  an  external  disclosure. 

The  same  principles  apply  when  health  care  providers  practice 
through  a  corporate  structure.  The  provider  may  have  a  parent  cor- 
poration, subsidiaries,  and  other  associated  corporate  entities.  In 
this  context,  the  provider  is  the  health  information  trustee  because 
it  is  the  provider  that  undertakes  the  activity  that  gives  rise  to  ob- 
ligations under  the  legislation.  The  release  of  protected  health  in- 
formation to  parents,  subsidiaries,  and  related  corporate  entities 
will  almost  always  be  an  external  disclosure  rather  than  an  inter- 
nal use.  Associated  corporate  entities  could  be  afiiliated  persons  if 
they  assist  the  hospital  in  carrying  out  its  functions.  However,  if 
in  pursuit  of  general  corporate  objectives,  the  parent  corporation 
asked  each  of  its  hospitals  to  compile  a  list  of  patients  with  particu- 
lar ailments  or  who  were  using  particular  drugs,  the  release  of  pro- 
tected health  information  to  the  parent  would  be  an  external  disclo- 
sure and  would  almost  certainly  be  improper. 

The  lines  in  this  area  will  not  always  be  black  £ind  white.  Any 
doubts  should  always  be  resolved  in  favor  of  limiting  access  to  pro- 
tected health  information.  The  interests  of  the  individuals  whose 
records  are  at  issue  should  always  be  the  paramount  consideration. 

SECTION  5121.  INSPECTION  OF  PROTECTED  HEALTH  INFORMATION 

It  is  a  basic  element  of  any  code  of  fair  information  practices — 
as  well  as  an  essential  element  of  fundamental  fairness — that  indi- 
viduals have  a  right  to  see  their  own  records.  In  a  recent  public 
opinion  poll,  96%  of  the  public  said  it  was  important  that  individ- 
uals have  the  legal  right  to  obtain  a  copy  of  their  own  medical 
records.  According  to  Professor  Alan  West  in,  people  do  not  have 
that  right  today  in  23  states.^^ 

A  statutory  procedure  for  patient  access  to  health  records  may 
actually  be  a  cost  saving  measure.  While  not  all  states  require  that 
patients  be  provided  a  copy  of  their  records,  a  determined  patient 
will  almost  always  be  able  to  obtain  a  copy  through  litigation.  By 
permitting  access  without  litigation,  the  same  result  will  be 
achieved  without  unnecessary  expense.  Access  will  no  longer  be 
limited  to  patients  with  the  knowledge  to  seek  or  ability  to  pay  a 
lawyer. 


8''  See  Louis  Harris  and  Associates,  Health  Information  Privacy  Survey  1993. 

8«  Testimony  of  Dr.  Alan  Westin,  Professor  of  Public  Law  and  Government,  Columbia  Univer- 
sity, at  H.R.  4077  Hearings  (April  20,  1994).  See  also  Public  Citizen  Health  Research  Group, 
Medical  Records:  Getting  Yours  (1992). 
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There  are  other  potential  savings  as  well.  The  1973  report  of  the  i 
Commission  on  Medical  Malpractice  established  by  the  Secretary  of: 
Health,  Education,  and  Welfare  included  this  finding:  I 

The  Commission  finds  that  the  unavailability  of  medical  records : 
without  resort  to  litigation  creates  needless  expense  and  increases  j 
the  incidence  of  unnecessary  malpractice  litigation.^^ 

The  Commission  recommended  that  medical  record  information] 
be  made  more  easily  accessible  to  patients. 

There  is  also  some  evidence  that  access  may  result  in  better  I 
treatment,  improved  patient  education,  and  a  more  open  doctor-pa- 1 
tient  relationship.90  The  evidence  on  this  point  in  incomplete,  andj 
the  Committee  is  not  recommending  patient  access  because  of  med- 1 
ical  advantages.  There  are  other  reasons  that  more  than  ade-i 
quately  justify  patient  access.  I 

Another  consequence  of  patient  access  may  be  a  reduction  in! 
medical  expenses.  In  1979,  a  witness  testified  that  his  family  had| 
moved  eight  times  in  nineteen  years  and  that  despite  his  best  ef- , 
forts,  he  was  unable  to  accumulate  all  of  their  medical  records  and  | 
keep  them  current.  As  a  result  of  the  inability  to  retrieve  earlier  | 
records,  a  family  member  had  to  redo  expensive  medical  tests.^i 
Improved  information  technology  may  lessen  the  need  for  patients  | 
to  manage  their  own  records,  but  it  will  be  a  long  time  before  the 
benefits  of  computerization  will  be  fully  realized.  There  will  be 
paper  records  and  potential  savings  for  the  foreseeable  future.  | 

The  cost  of  providing  for  patient  access  to  health  information  is  \ 
likely  to  be  small.  In  1980,  the  Committee  reviewed  the  experience  j 
of  Federal  agencies  in  complying  with  a  similar  access  requirement  i 
under  the  Privacy  Act  of  1974.  That  Act  had  been  in  effect  for  sev- 1 
eral  years  at  the  time  of  the  review.  The  Committee  heard  from 
several  different  components  of  the  Department  of  Health,  Edu- 
cation, and  Welfare  that  were  directly  involved  in  the  provision  of , 
health  services.  No  problems  with  patient  access  were  reported,  i 
and  the  rate  of  patient  requests  was  approximately  one  per  one  ; 
hundred  patient  encounters.  The  cost  of  complying  with  access  and , 
correction  provisions  very  similar  to  those  in  the  Fair  Health  Infor- ; 
mation  Practices  Part  was  found  to  be  about  $700  per  facility  in  j 
the  late  1970s.92  The  Committee  anticipates  that  the  cost  of  com- 1 
plying  with  the  patient  accesjE  provisions  will  be  minimal  and  that  j 
the  benefits,  while  harder  to  measure,  should  exceed  the  costs.  j 

Section  5121  of  the  Fair  Health  Information  Practices  Part  re- 1 
quires  health  care  providers,  health  benefit  plans,  health  oversight 
agencies,  public  health  agencies,  and  health  information  service  or- , 
ganizations  to  permit  an  individual  to  inspect  any  protected  health! 
information  about  the  individual  that  the  trustee  maintains  and  to| 
bring  another  individual  along  during  the  inspection.  An  individual  i 


8^  Department  of  Health,  Education,  and  Welfare,  Report  of  the  Secretary's  Commission  on 
Medical  Malpractice  75  (1973).  i 

^  See,  e.g..  Stein  et  al.,  "Patient  Access  to  Medical  Records  on  a  Psychiatric  Inpatient  Unit",  j 
136  American  Joiirnal  of  Psvchiatry  327  (1979);  Golodetz  et  al.,  'The  Right  to  Know:  Giving  the 
Patient  His  Medical  Record",  57  Archives  of  Physical  Medicine  and  Rehabilitation  78  (1976);  I 
Shenkin  and  Warren,  "Giving  the  Patient  His  Medical  Record:  A  proposal  to  Improve  the  Sys-  | 
tem",  289  New  England  Journal  of  Medicine  688  (1973).  See  also  Novack  et  al.,  "Changes  in  ' 
Physicians'  Attitudes  Toward  TelUng  the  Cancer  Patient",  241  Journal  of  the  American  Medical 
Association  897  (1979). 

9'  1979  "House  Hearings"  at  941-2  (testimony  of  Leon  Troyer). 

'2  See  House  Conmi.  on  Government  Operations,  Federal  Privacy  of  Medical  Information  Act, 
H.R.  Rep.  No.  96-832  Part  I,  96th  Cong.,  2d  Sess.  (1980)  (report  to  accompany  H.R.  5935).  , 
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also  has  the  right  to  have  a  copy  of  the  information.  The  right  of 
inspection  and  copying  includes  paper  records,  computer  records,  x- 
rays,  and  any  other  type  of  protected  health  information  regardless 
of  form  or  medium.  The  right  of  inspection  also  includes  any  ac- 
counting required  under  section  5124  and  a  copy  of  an  authoriza- 
tion as  required  under  section  5132. 

The  trustee  has  the  right  to  offer  to  explain  or  interpret  informa- 
tion provided  to  the  individual.  No  trustee  is  required  to  provide 
an  explanation,  but  it  may  be  in  the  best  interest  of  both  the  trust- 
ee and  the  subject  of  the  records  if  an  explanation  is  offered. 
Health  records  can  be  complex  documents,  filled  with  abbreviations 
and  data  that  is  unintelligible  to  the  layman.  Explanations  will  fa- 
cilitate understanding,  improve  relations,  and  avoid  needless  anxi- 
ety and  litigation. 

The  right  of  inspection  applies  to  the  major  classes  of  trustee 
who  use  health  information  to  make  determinations  about  people. 
Both  providers  and  benefit  plans  have  direct  contact  with  individ- 
uals and  make  decisions  about  treatment  and  payment.  Health 
oversight  agencies  also  must  permit  inspection  and  copying  because 
their  activities  may  also  have  a  direct  effect  on  individuals  even 
though  the  agencies  may  not  normally  be  in  contact  with  the  indi- 
viduals. Nevertheless,  a  decision  by  an  oversight  agency  to  disallow 
a  claim  could  have  a  devastating  financial  effect  on  a  patient,  and 
fundamental  fairness  requires  that  there  be  access  to  the  underly- 
ing records.  Public  health  authorities  also  may  use  health  informa- 
tion about  individuals  to  make  decisions  with  serious  consequences. 
For  example,  a  public  health  authority  can  place  an  individual  in 
quarantine.  Access  to  records  is  therefore  important. 

There  are  seven  categories  of  information  that  can  be  withheld 
from  an  individual.  Reliance  on  these  exemptions  to  access  is  op- 
tional. No  trustee  is  required  by  anything  in  section  5121  to  with- 
hold the  information  that  falls  in  one  of  these  categories.  There 
may,  however,  be  other  legal  or  professional  obligations  that  war- 
rant withholding. 

First,  a  trustee  may  withhold  mental  health  treatment  notes  if 
the  trustee  determines  in  the  exercise  of  reasonable  professional 
judgment  that  access  to  the  notes  would  cause  sufficient  harm  to 
the  subject  of  the  notes  so  as  to  outweigh  the  desirability  of  permit- 
ting access.  This  is  permitted  in  order  to  protect  the  delicate  rela- 
tionship between  therapists  and  patients  and  to  recognize  the  ex- 
isting practice  whereby  such  notes  are  closely  protected  by  the 
therapist  from  all  non-treatment  uses.  Notes  might  include  the 
therapists's  speculations,  impressions,  hunches,  and  reminders,  but 
would  not  include  objective  medical  information  such  as  test  re- 
sults, diagnoses,  types  of  treatment  provided,  and  similar  informa- 
tion. 

Another  prerequisite  for  denjdng  access  to  mental  health  treat- 
ment notes  is  that  the  trustee  does  not  disclose  the  notes  to  any 
person  not  directly  engaged  in  treating  the  individual,  except  with 
the  authorization  of  the  individual  or  under  compulsion  of  law. 
Thus,  if  the  notes  are  maintained  in  a  general  record  that  can  be 
routinely  seen  by  non-treatment  personnel,  the  exemption  to  access 
will  not  be  available. 
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It  is  the  policy  of  the  legislation  that  permitting  access  to  records 
is  generally  desirable.  As  a  result,  the  burden  of  justifying  the 
withholding  of  mental  health  treatment  notes  falls  on  the  provider/ 
trustee.  A  specific  determination  is  required  in  each  case,  and  the 
provider/trustee  must  be  able  to  articulate  the  harm  that  would  re- 
sult from  access. 

The  bill  places  the  responsibility  for  making  the  determination  to 
withhold  on  the  trustee.  In  some  cases,  the  trustee  will  also  be  the 
health  care  provider.  In  other  cases,  the  provider  will  be  an  em- 
ployee or  person  otherwise  affiliated  with  the  trustee.  Obviously, 
decisions  that  require  professional  judgment  are  best  made  by  the 
professionals  who  are  involved  in  the  treatment  of  the  record  sub- 
ject. The  Committee  expects  that  these  professionals  will  normally 
be  consulted.  Where  the  original  health  care  provider  is  no  longer 
available,  trustees  will  have  to  make  the  necessary  judgments 
using  other  available  professionals. 

The  second  category  of  information  that  can  be  withheld  from  an 
individual  is  information  that  relates  to  other  individuals.  In  order 
to  withhold  this  type  of  data,  the  trustee  must  determine  in  the  ex- 
ercise of  reasonable  professional  judgment  that  access  would  cause 
sufficient  harm  to  one  or  both  of  the  individuals  so  as  to  outweigh 
the  desirability  of  permitting  access. 

The  Working  Group  on  Ethical,  Legal,  and  Social  Implications  of 
the  Human  Grenome  Project  has  suggested  that  genetic  information 
raises  special  problems  because  information  about  an  individual 
also  relates  to  the  individual's  blood  relatives  who  may  carry  the 
same  genes.  The  fact  that  information  about  a  requester  also  per- 
tains to  the  requester's  relatives  does  not  create  a  basis  for  with- 
holding information  about  the  requester  from  the  requester.  Simi- 
larly, while  information  that  is  in  the  file  of  a  relative  may  have 
some  bearing  on  a  requester,  the  requester  does  not  have  a  right 
to  see  any  information  that  does  not  pertain  directly  and  specifi- 
cally to  the  requester.  In  general,  where  information  about  one  in- 
dividual is  maintained  in  a  file  about  another  individual,  the  first 
individual's  inspection  and  correction  rights  are  limited  to  his  or 
her  own  file.  If  information  in  another  file  is  not  used  to  make  deci- 
sions that  affect  an  individual,  then  access  and  correction  are  not 
required. 

The  third  category  of  information  that  can  be  withheld  from  an 
individual  is  information  that  could  reasonably  be  expected  to  en- 
danger the  life  or  physical  safety  of  an  individual.  This  exemption 
is  not  likely  to  be  used  often,  but  it  could  be  very  important  in 
those  few  instances  where  it  is  available. 

The  fourth  category  of  information  that  can  be  withheld  from  an 
individual  is  information  that  identifies  or  could  reasonably  lead  to 
the  identification  of  an  individual  who  provided  information  under 
a  promise  of  confidentiality  to  a  health  care  provider  concerning 
the  individual  who  is  the  subject  of  the  information.^^  This  exemp- 
tion cannot  be  used  to  withhold  the  identify  of  a  health  care  pro- 


93The  Privacy  Act  of  1974,  5  U.S.C.  §552a  (1988),  makes  a  distinction  between  express  and 
implied  promises  of  confidentiality.  After  the  effective  date  of  the  Privacy  Act,  a  promise  of  con- 
fidentiahty  is  only  effective  if  it  is  an  express  promise.  For  information  collected  prior  to  that 
effective  date,  an  implied  promise  of  confidentieinty  is  sufficient.  See  5  U.S.C.  §552a(k)(2)  (1988). 
This  same  distinction  between  express  and  impUed  promises  is  appropriate  for  the  Fair  Health 
Information  Practices  Part. 
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vider  who  is  involved  in  the  treatment  of  the  individual.  But  there 
may  be  circumstances  in  which  family  members  or  others  provide 
information  to  health  care  professionails  on  a  confidential  basis.  For 
example,  a  woman  who  tells  a  physician  about  her  husband's  condi- 
tion or  activities  might  not  want  her  husband  to  know  that  she  was 
the  source.^"^ 

The  fifth  category  of  information  that  can  be  withheld  from  an 
individual  is  information  that  is  used  by  a  trustee  solely  for  admin- 
istrative purposes  and  not  in  the  provision  of  health  care  to  the  in- 
dividual who  is  the  subject  of  the  information.  If  the  information 
is  disclosed  to  any  other  person,  then  this  exemption  is  not  avail- 
able. Use  of  the  information  by  the  trustee  and  its  employees  does 
not  make  the  exemption  unavailable.  Examples  of  qualifying  infor- 
mation are  operating  room  schedules  and  patient  lists  that  may  be 
used  for  administrative  purposes.  Billing  information  cannot  qual- 
ify under  this  exemption. 

The  sixth  category  of  information  that  can  be  withheld  from  an 
individual  is  information  that  duplicates  information  that  is  avail- 
able for  inspection.  If  copies  of  x-rays,  pathology  reports,  lab  re- 
sults, or  similar  items  are  maintained  in  several  different  places  by 
a  trustee,  only  one  copy  must  be  made  available  to  the  subject  pro- 
vided that  all  copies  are  identical.  If  the  copies  differ  in  any  way 
or  some  include  handwritten  notes,  then  all  must  be  provided.^s 

The  seventh  category  of  information  that  can  be  withheld  from 
an  individual  is  information  that  is  compiled  principally  in  antici- 
pation of  a  civil,  criminal,  or  action  or  proceeding  or  that  is  com- 
piled principally  for  use  in  such  an  action  or  proceeding.  This  incor- 
porates the  attorney-client  evidentiary  privilege. 

If  a  trustee  denies  a  request  for  inspection  or  for  cop5dng  in 
whole  or  in  part,  the  trustee  is  required  to  give  the  individual  a 
written  statement  of  the  reason  for  the  denial.  This  follows  the  pol- 
icy of  the  Freedom  of  Information  Act.  A  trustee  must  disclose 
when  information  has  been  withheld  and  why  it  has  been  withheld. 
The  statutory  deadline  for  complying  with  requests  is  30  days  be- 
ginning on  the  date  the  trustee  receives  the  request. 

The  exemptions  in  the  bill  apply  only  to  the  access  and  inspec- 
tion process  under  section  5121.  The  exemptions  do  not  apply  in 
other  circumstances.  For  example,  if  a  patient  brings  a  malpractice 
action  against  a  physician  and  seeks  a  copy  of  all  of  the  physician's 
records  pertaining  to  that  patient  under  the  discovery  rules  of  the 
court,  the  exemptions  in  the  Fair  Health  Information  Practices 
Part  are  not  applicable  or  relevant.  The  scope  of  the  patient's  right 
to  the  record  will  be  determined  solely  under  the  applicable  discov- 
ery rules.  The  Part's  exemptions  do  not  apply  and  are  not  intended 
to  interfere  with  or  to  limit  any  other  access  rights  or  procedures 
that  may  be  available  to  the  subject  of  the  record  under  other  laws 
or  policies. 

A  trustee  may  establish  reasonable  procedures  governing  re- 
quests for  access  and  inspection.  Section  5121  specifically  allows  a 


^'♦See,  e.g.,  Bumiiin,  "Secrets  About  Patients",  324  New  England  Journal  of  Medicine  1130 
(April  18,  1991)  ("Doctors  are  often  given  information  about  a  patient  by  family  members  or 
other  and  asked  to  keep  it  secret  from  the  patient."). 

^When  corrections  are  made,  the  correction  must  be  included  in  all  copies  of  the  incorrect 
information.  The  exception  for  access  to  duplicate  records  should  not  be  read  to  extend  to  correc- 
tions. 
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trustee  to  require  a  written  request  for  access.  Of  course,  a  trustee 
may  require  that  an  individual  seeking  access  provide  sufficient  | 
identification.  Requiring  fingerprints  or  other  expensive,  cum-  | 
bersome  identification  methods  that  are  intended  to  serve  as  a  pro-  | 
cedural  barrier  to  access  is  not  appropriate  or  permitted.  The  iden- 
tification requirement  must  be  reasonable. 

If  a  trustee  relies  on  any  of  the  exemptions  to  deny  access,  the 
trustee  must  permit  access  to  any  reasonably  segregable  portion  of 
a  record  after  deletion  of  any  exempt  portion.  This  is  a  standard 
policy  borrowed  directly  from  the  Freedom  of  Information  Act.^  It 
prevents  a  trustee  from  withholding  an  entire  record  or  even  an  en- 
tire page  just  because  there  is  one  line  of  exempt  information. 

A  trustee  may  charge  a  reasonable  cost-based  fee  for  permitting 
inspection  or  for  providing  a  copy.  A  fee  is  not  required,^'^  and  a 
trustee  may  permit  inspection  or  provide  copies  at  no  charge  or  at 
a  reduced  charge.  The  fee  permitted  under  this  section  applies  only 
to  first  person  access.  Copying  or  other  charges  imposed  on  other 
users  of  health  information  are  not  regulated.  A  trustee  may  have 
a  different  fee  schedule  for  records  that  are  provided  to  insurers, 
providers,  lawyers,  or  others.  Only  those  requests  made  under  sec- 
tion 5151  are  subject  to  the  reasonable  cost-based  fee  standard. 

The  fee  must  be  reasonable.  The  overall  intent  is  to  provide  for 
patient  access  at  the  lowest  possible  fair  price.  Providing  patient 
access  is  not  intended  to  create  a  profit  center  for  health  informa- 
tion trustees  nor  is  it  intended  for  trustees  to  lose  money  respond- 
ing to  patient  requests. 

There  is  a  cost  associated  with  each  patient  request  for  access  or 
for  copying,  but  the  section  does  not  require  a  trustee  to  calculate 
the  actual  cost  for  each  request.  The  fee  must  be  cost-based.  A  cost- 
based  fee  must  be  related  to  the  costs  of  responding  to  requests, 
but  a  trustee  is  not  required  to  track  each  cost  element  for  each 
request.  A  trustee  may  choose  to  base  its  fees  on  the  average  cost 
of  retrieving  a  record,  copying  a  page,  or  duplicating  an  x-ray. 

There  are  seversd  elements  for  which  costs  may  be  recovered.  For 
example,  there  are  labor  costs  associated  with  processing  requests, 
retrieving  records,  and  copying  records.  THere  are  costs  for  mate- 
rials and  equipment  that  may  include  computer  time,  photocopying 
charges,  paper,  and  similar  items.  There  may  be  postage  costs,  ad- 
ministrative expenses,  and  other  expenses  that  are  directly  related 
to  responding  to  requests.  A  trustee  may  hire  a  contractor  to  per- 
form some  or  all  of  these  functions  and  may  pass  on  the  contrac- 
tor's charges  to  the  patient,  provided  that  the  charges  are  reason- 
able and  consistent  with  the  standard  in  the  section. 

A  trustee  may  not  charge  an  arbitrary  fee  unrelated  to  the  trust- 
ee's cost.  For  example,  a  hospital  may  not  impose  a  fee  for  a  copy 


5  U.S.C  §  552(b)  (1988). 

9^  There  are  some  states  that  provide  for  reduced  fees  for  patient  inspection  or  copying.  These 
state  poUcies  are  not  altered  by  the  preemptive  nature  of  this  section  because  the  charging  of 
fees  is  discretionary  with  the  trustee.  Where  discretion  may  be  exercised  in  this  area,  it  is  not 
inconsistent  with  the  preemption  language  if  the  discretion  is  exercised  by  the  state  or  by  the 
trustee.  The  framework  of  the  inspection  section  remains  intact. 

98  A  determination  of  average  cost  can  be  made  in  a  niimber  of  ways.  A  trustee  may  evaluate 
its  own  costs,  may  determine  average  costs  in  association  with  other  trustees  in  the  same  city 
that  perform  similar  activities,  or  may  use  general  office  cost  studies  for  similar  function  in  its 
region.  The  Act  does  not  reqmre  an  elaborate  cost-accoimting  justification  for  each  action.  The 
process  used  to  calculate  average  cost  need  only  be  reasonable  and  not  exact. 
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of  a  bill  that  is  a  percentage  of  the  bill.  That  would  violate  the  re- 
quirement that  the  fee  be  cost-based.  If  records  are  fully  computer- 
ized, the  costs  of  providing  a  digital  copy  may  be  small,  and  fees 
should  reflect  the  lower  cost.  For  example,  when  it  is  necessary  to 
physically  retrieve  a  paper  record  from  a  central  repository,  there 
may  be  a  charge  for  the  retrieval.  But  if  the  retrieval  of  a  comput- 
erized record  can  be  accomplished  through  a  few  keystrokes,  it 
would  be  unreasonable  to  impose  the  same  retrieval  fee  as  for  a 
paper  record  because  the  costs  are  significantly  different. 

SECTION  5122.  AMENDMENT  OF  PROTECTED  HEALTH  INFORMATION 

The  right  to  seek  correction  of  records  is  another  basic  element 
of  a  code  of  fair  information  practices.  Section  5122  imposes  a  re- 
quirement to  accept  and  consider  requests  for  amendment  on  the 
same  health  information  trustees  who  are  required  to  provide  for 
patient  inspection.  The  requirement  applies  to  health  care  provid- 
ers, health  benefit  plans,  health  oversight  agencies  that  maintains 
protected  health  information  and  to  health  information  trustees 
who  receive  protected  health  information  pursuant  to  section  5141 
(health  information  service  organizations). 

A  trustee  has  forty-five  days  to  make  a  decision  on  a  request  for 
amendment.  If  the  trustee  makes  the  requested  change,  the  trustee 
must  make  reasonable  efforts  to  inform  any  person  (other  than  an 
employee  of  the  trustee)  identified  by  the  subject  of  the  record  who 
is  a  known  recipient  of  the  incorrect  information  about  the  change. 
The  purpose  here  is  to  make  sure  that  improper  information  passed 
on  to  others  is  accurate  and  up-to-date.  The  accounting  for  disclo- 
sures required  under  section  5124  will  provide  a  list  of  potential  re- 
cipients of  the  data.  It  may  not  be  necessary  to  provide  the  correc- 
tion to  all  recipients.^  The  trustee  is  also  required  to  make  reason- 
able efforts  to  inform  known  sources  of  incorrect  information. 

The  requirement  that  '^reasonable  efforts"  be  made  to  share  cor- 
rections means  that  trustees  must  try  to  contact  the  persons  who 
are  to  receive  the  corrections.  In  most  circumstances,  use  of  the 
mail  or  the  telephone  will  be  sufficient.  How  much  effort  is  re- 
quired will  depend  on  a  number  of  factors,  including  the  age  of  the 
incorrect  information;  the  expense  involved;  and  the  importance  of 
the  correction.  If  a  record  has  been  changed  because  it  indicates  an 
incorrect  blood  type,  it  is  appropriate  that  greater  efforts  be  made 
to  ensure  that  the  correction  is  received  by  all  who  have  the  wrong 
information.  Incorrect  information  of  this  type  could  result  in  seri- 
ous harm. 

On  the  other  hand,  lesser  efforts  may  be  appropriate  when  a 
record  is  corrected  to  show  that  a  patient  is  actually  42  years  old 
and  not  43  years  old.  Also,  a  correction  need  not  be  provided  where 
it  would  serve  no  purpose.  For  example,  if  a  physician  was  a  source 


^It  is  possible  that  sending  corrections  to  some  recipients  will  not  be  necessary  or  appro- 
priate. For  example,  suppose  that  a  data  tape  containing  hundreds  of  patient  records  is  acciden- 
tally mailed  to  the  wrong  address.  Technically,  the  records  were  disclosed  to  that  accidental  re- 
cipient. Sending  corrections  to  that  same  recipient  would  be  pointless  and  would  actually  exacer- 
bate any  improper  disclosure.  Presumably,  the  record  subject  would  choose  not  to  have  a  correc- 
tion sent  in  such  a  circumstance.  There  may  be  other  cases  where  tl;\e  record  subject  would  not 
choose  to  send  the  correction.  A  trustee  may,  however,  transmit  a  correction  to  a  previous  recipi- 
ent if  the  trustee  decides  that  the  disclosure  is  appropriate  and  otherwise  consistent  with  tne 
Act. 
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of  information  but  is  no  longer  in  practice,  providing  a  correction 
to  that  physician  would  be  pointless.  Where  reasonable  attempts 
fail  without  satisfying  the  patient,  a  trustee  may  provide  the  pa- 
tient with  a  certified  copy  of  the  changed  record  and  the  patient 
may  pursue  the  dissemination  of  the  corrected  record  as  he  or  she 
sees  fit. 

Overall,  section  5122  allows  health  information  trustees  consider- 
able procedural  flexibility.  When  a  trustee  denies  a  request  for 
change  or  amendment,  the  trustee  must  inform  the  individual  of 
the  reasons  for  the  refusal  and  of  any  procedures  for  further  re- 
view. A  trustee  is  not  required  to  conduct  hearings  or  to  have  an 
internal  appeal  procedures,  but  the  existence  of  an  appeal  proce- 
dure must  be  disclosed  to  requesters.  The  burden  of  proving  that 
information  maintained  by  a  health  information  trustee  needs  to  be 
amended  or  corrected  falls  on  the  patient.  If  the  trustee  decides 
that  a  patient  has  failed  to  meet  this  burden,  then  the  request  may 
be  denied. 

Section  5171(f)  provides  elsewhere  that  a  requester  must  exhaust 
any  administrative  appeal  procedure  before  pursuing  judicial  rem- 
edies. It  is  possible  that  trustees  may  jointly  establish  appeal 
mechanisms  to  consider  appeals.  For  example,  hospitals  in  a  region 
may  utilize  an  appeal  process  established  and  operated  jointly  by 
the  hospitals  or  they  may  utilize  an  independent  review  service. 
The  alternative  dispute  resolution  mechanisms  described  in  section 
5173  may  be  applied  to  correction  appeals. 

If  an  individual's  request  for  correction  is  denied,  the  individual 
has  the  right  to  file  with  the  trustee  a  concise  statement  setting 
forth  the  requested  correction  and  the  individual's  reasons  for  dis- 
agreeing with  the  refusal.  Any  statement  of  disagreement  must  be 
included  in  any  subsequent  disclosure  of  the  disputed  portion  of  the 
information  about  the  individual.  The  trustee  may  include  a  con- 
cise statement  of  its  reasons  for  not  making  the  requested  change. 
This  is  similar  to  an  existing  requirement  under  the  Privacy  Act 
of  1974. 

An  individual  may  request  correction  or  amendment  of  protected 
health  information  about  the  individual  when  the  information  is 
not  timely,  accurate,  relevant,  or  complete  for  the  purposes  for 
which  the  information  may  be  used  or  disclosed.  The  standard  of 
timely,  accurate,  relevant,  and  complete  is  common  in  codes  of  fair 
information  practices.  The  requirement  for  correct  records  must  be 
assessed  in  light  of  the  purposes  for  which  the  information  is  being 
used  or  disclosed.  For  example,  a  hospital  record  can  be  a  dynamic 
document,  with  information  being  added  constantly  during  and 
after  an  inpatient  stay.  Such  a  record  cannot  be  judged  to  violate 
the  statute's  timeliness  standard  simply  because  information  has 
not  yet  been  added.  Only  when  a  delay  in  posting  information  is 
unreasonably  long  or  a  patient  is  prejudiced  as  a  result  of  an  ab- 
normal delay,  then  the  record  may  be  found  to*  be  in  violation  of 
the  standard.  In  many  cases,  a  professional  judgment  about  timeli- 
ness, accuracy,  relevance,  and  completeness  will  be  appropriate. 

Similarly,  a  record  may  include  information  that  a  physician  was 
told  by  a  patient  (e.g.,  "My  husband  hit  me  when  he  was  drunk"). 
It  is  not  the  obligation  of  the  physician  to  determine  the  truth  of 
the  statement.  If  the  physician  deems  the  statement  to  be  relevant 
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and  includes  it  in  the  record,  the  physician  has  no  obligation  under 
the  Fair  Health  Information  Practices  Part  to  investigate  the  truth 
of  the  statement.  The  record  is  correct  if  it  is  an  accurate  and  rel- 
evant reflection  of  what  the  patient  said.  A  patient,  of  course,  may 
seek  to  add  a  statement  disagreeing  with  the  accuracy  of  the 
record. 

There  is  considerable  case  law  under  the  Privacy  Act  of  1974 
where  individuals  attempted  to  use  the  Act's  correction  mechanism 
as  a  basis  for  collateral  attacks  on  agency  determinations.  The 
courts  have  generally  rejected  these  attempts.  This  line  of  reason- 
ing is  fully  applicable  here  as  well. 

It  is  standard  practice  for  a  medical  record  keeper  not  to  expunge 
any  information  in  a  treatment  record.  The  universal  procedure  is 
to  mark  incorrect  information  and  to  add  the  correct  information. 
Section  5122(e)  makes  it  clear  that  there  is  no  requirement  that 
any  information  be  erased  or  deleted.  The  trustee  is  expressly  au- 
thorized to  mark  incorrect  information  and  to  place  supplementary 
correct  information  in  the  record  and  to  add  appropriate  cross  ref- 
erences to  the  correct  information.  This  strict  policy  for  medical 
records  may  or  may  not  be  needed  for  other  types  of  records  subject 
to  the  Part,  but  each  trustee  has  the  option  to  use  the  same  correc- 
tion procedure. 

SECTION  5123.  NOTICE  OF  INFORMATION  PRACTICES 

The  Fair  Health  Information  Practices  Part  relies  on  individual 
action  as  one  enforcement  mechanism.  As  a  result,  it  is  critical  that 
individuals  be  informed  about  their  rights  and  how  to  exercise 
them.  This  is  also  a  standard  feature  of  any  code  of  fair  informa- 
tion practices.  Section  5123  accomplishes  this  by  requiring  some 
health  information  trustees  to  prepare  and  make  available  to  any 
person  a  notice  of  information  practices. 

The  requirement  to  prepare  a  notice  of  information  practices  falls 
on  health  care  providers,  health  benefits  plans,  health  oversight 
agencies,  and  health  information  service  organizations.  These  are 
the  trustees  who  will  be  making  basic  substantive  decisions  about 
an  individual's  health  care  and  payment.  Not  all  of  these  trustees 
will  have  regular  and  direct  contact  with  individuals,  but  their  ac- 
tivities are  of  sufficient  importance  that  the  notice  must  be  pre- 
pared and  made  available  upon  request.  The  same  duty  has  not 
been  imposed  on  other  health  information  trustees  because  there  is 
not  a  sufficient  nexus  between  the  trustee  and  the  subject  of  the 
information  to  warrant  imposing  the  requirement  of  preparing  a 
notice. 

The  notice  must  contain  three  elements.  First,  it  must  describe 
the  rights  that  individuals  have  under  the  Part,  including  the  right 
to  inspect  and  copy  information  and  the  right  to  seek  amendments. 
The  notice  also  must  describe  the  procedures  for  authorizing  disclo- 
sures of  information  and  for  revoking  authorizations. 

Second,  the  notice  must  describe  the  procedures  established  by 
the  trustee  for  the  exercise  of  the  rights  provided  by  the  Part.  For 
example,  a  trustee  who  requires  individuals  seeking  access  to  infor- 
mation to  make  a  written  request,  to  provide  identification,  or  to 
pay  an  allowable  fee  in  advance  must  describe  the  rules  and  proce- 
dures in  the  notice  of  information  practices.  If  a  trustee  has  estab- 
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lished  an  internal  appeal  procedure  for  denials  of  access  or  amend-  | 
ment,  the  procedure  should  be  described  in  the  notice.  The  notice  I 
should  also  include  the  name,  address,  and  telephone  number  of  ' 
the  office  that  an  individual  should  contact  to  exercise  the  right  of  I 
access  and  amendment.  ' 

Third,  the  notice  should  describe  the  t3rpes  of  uses  and  disclo-  i 
sures  that  are  permitted.  This  description  of  uses  and  disclosures  I 
does  not  have  to  be  excessive  in  detail  nor  does  each  potential  use  i 
and  disclosure  have  to  be  spelled  out  in  full.  The  purpose  of  the  de- 
scription is  to  make  individuals  generally  aware  of  h  ow  the  infor-  I 
mation  they  supply  may  be  seen  by  others  and  to  permit  them  to 
exercise  the  right  to  object  to  disclosures.  | 

In  order  to  assist  in  the  preparation  of  the  required  notice  of  in- 
formation practices,  the  Secretary  is  required  to  develop  and  dis- 
seminate model  notices  for  uses  by  trustees.  S*3veral  different  types 
of  notices  will  be  necessary  to  meet  the  needs  of  the  different  trust-  i 
ees.  A  notice  for  a  provider  will  be  different  from  a  notice  for  a  I 
payer  or  an  oversight  agency.  Model  notices  will  reduce  the  pros-  ' 
pect  of  litigation  over  the  sufficiency  of  the  notice  for  any  given  I 
trustee.  While  each  trustee  may  have  to  adapt  the  model  notice  to  I 
meet  its  own  situation,  use  of  the  core  notice  issued  by  the  Sec-  ' 
retary  will  provide  a  safe  harbor.  1 

The  notice  of  information  practices  should  be  distributed  to  any  \ 
individual  upon  request.  There  is  no  requirement  that  a  copy  of  the  I 
notice  be  affirmatively  handed  to  each  patient,  but  a  trustee  who  !, 
routinely  sees  patients  must  inform  the  patients  of  the  availability 
of  the  notice.  The  posting  of  a  sign  stating  the  availability  of  the 
notice  is  one  way  to  accomplish  this.  Patients  can  be  notified  in 
others  ways  as  well,  including  through  notices  on  bills  or  other  i 
written  documents.  i 

A  trustee  who  does  not  routinely  interact  with  patients,  such  as  I 
a  health  oversight  agency,  need  only  make  efforts  to  inform  individ- 
uals about  the  availability  of  the  notice  at  the  time  when  there  is  i 
contact.  There  is  no  requirement  that  signs  be  posted  at  locations  | 
where  patients  do  not  routinely  appear.  Notice  can  be  provided  in  | 
other  reasonable  ways.  One  such  way  is  to  include  a  written  state-  1 
ment  on  a  form  or  other  document  that  will  be  seen  by  patients.  j 

SECTION  5124.  ACCOUNTING  FOR  DISCLOSURES  j 

Section  5124  requires  that  all  health  information  trustees  main-  ' 
tain  an  accounting  for  each  external  disclosure  of  protected  health 
information.  There  are  four  required  elements  for  accounting.  First  j 
is  the  date  and  purpose  of  the  disclosure.  The  second  is  the  name  I 
of  the  person  to  whom  the  disclosure  was  made.  This  does  not  re- 
quire recording  the  name  of  the  specific  individual  who  received  the 
information.  It  is  sufficient  to  record  the  institution  to  which  the 
information  was  provided.  Thus,  an  accounting  might  identify  the 
person  as  "Blue  Cross  of  California"  or  "Dr.  Jane  Doe's  Office"  or 
"University  of  Oklahoma  Hospital". 

The  third  element  of  the  accounting  is  the  address  of  the  person 
to  whom  the  disclosure  was  made  or  the  location  to  which  disclo- 
sure was  made.  In  the  modem  information  age,  a  street  address  is 
not  always  the  most  meaningful  or  relevant  location,  and  it  may 
not  be  known  when  at  the  time  the  data  is  disclosed.  Much  infor- 
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mation  is  shared  through  electronic  means.  A  computer  address 
may  be  appropriate.  The  goal  is  to  allow  the  recipient  to  be  found 
at  a  later  date.  The  accounting  should  include  the  most  appropriate 
location  information  under  the  circumstances. 

When  disclosures  are  routinely  made  to  the  same  institution,  the 
address  does  not  have  to  be  repeated  each  time  in  each  record.  If, 
for  example,  disclosures  are  routinely  made  to  Blue  Cross,  it  is  suf- 
ficient that  the  location  of  Blue  Cross  can  be  provided  when  needed 
later. 

The  last  element  of  an  accounting  is  a  description  of  the  informa- 
tion disclosed,  where  practicable,  'rtiis  requirement  should  be  inter- 
preted in  light  of  the  technical  capabilities  of  the  system  used  to 
maintain  the  record  and  the  cost  of  such  maintenance. 

This  is  not  intended  to  require  a  specific  recording  of  each  data 
element  disclosed.  When  it  is  practical  and  cost-effective  to  main- 
tain more  detailed  data  about  the  disclosure,  then  it  is  appropriate 
to  do  so.  This  may  only  be  the  case  in  an  advanced  computerized 
health  information  system  that  has  such  a  capability  built  in.  For 
existing  computer  systems  with  limited  capability  for  accounting, 
the  practicability  standard  does  not  mean  that  expensive 
reprogramming  is  required.  These  systems  may  be  accepted  as  they 
are  if  a  basic  set  of  accounting  data  is  maintained  in  some  fashion. 
The  accounting  information  may  even  be  maintained  in  a  separate 
system  or  on  paper. 

The  Secretary  may  decide  to  establish  more  specific  accounting 
requirements  through  regulation.  The  Secretary  could,  for  example, 
prescribe  rules  for  computer  systems  that  will  be  placed  in  service 
at  a  future  date.  By  establishing  such  requirements  well  in  ad- 
vance, the  needed  capabilities  can  be  designed  and  implemented  at 
low  cost  and  without  the  need  for  retrofitting. 

For  paper  records,  practicalities  and  expense  will  limit  the  de- 
scription of  the  information  disclosed.  If  an  entire  record  is  dis- 
closed, then  the  accounting  may  so  note.  The  possibility  that  the 
record  will  change  in  the  future  is  not  important,  even  though  it 
may  be  impossible  to  determine  exactly  what  data  elements  were 
disclosed.  Since  it  is  not  practicable  to  track  individual  data  ele- 
ments for  paper  records,  the  accounting  may  be  more  broadly  de- 
scriptive because  the  cost  of  recording  details  is  prohibitive. 

The  accounting  for  disclosures  is  itself  protected  health  informa- 
tion, and  the  Section  5121(a)  expressly  provides  that  the  individual 
is  entitled  to  see  the  accounting  for  disclosures  made  from  the 
record  about  the  individual.  This  is  one  way  that  an  individual 
whose  rights  have  been  violated  by  an  improper  disclosure  can 
identify  the  responsible  party. 

The  accounting  provision  does  not  require  any  specific  type  of 
form  or  log.  As  long  as  disclosures  can  be  identified  or  accurately 
reconstructed,  a  trustee  may  maintain  the  accounting  in  any  way 
that  it  chooses.  Accounting  information  can  be  included  in  a  patient 
file,  in  a  separate  log,  or  in  any  other  way.  As  long  as  it  is  possible 
to  provide  the  basic  elements  to  a  patient  who  requests  them,  then 
a  trustee  can  choose  a  method  most  suitable  to  its  record  keeping 
practices. 

No  accounting  is  required  for  disclosures  made  under  the  next  of 
kin  and  directory  information  section.  The  recording  of  these  disclo- 
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sures  would  be  unduly  burdensome  or  otherwise  unnecessary. 
Similarly,  the  Secretary  is  directed  to  issue  regulations  exempting 
from  the  accounting  requirements  disclosures  for  purposes  of  peer 
review,  licensing,  certification,  accreditation,  and  similar  activities. 
These  types  of  activities  generally  do  not  involve  the  review  of  spe- 
cific patient  records  in  connection  with  determinations  about  the 
patient.  An  accrediting  agency  may  review  records  only  to  deter- 
mine if  general  record  keeping  standards  are  being  met.  Requiring 
an  accounting  would  normally  be  unnecessary.  The  Secretary's  reg- 
ulations can  provide  more  detailed  rules. 

SECTION  5125.  SECURITY 

Section  5125  requires  each  health  information  trustee  to  main- 
tain reasonable  and  appropriate  administrative,  technical,  and 
physical  safeguards  to  protect  the  security,  integrity,  and  confiden- 
tiality of  protected  health  information  against  any  reasonably  an- 
ticipated threats  or  hazards.  Key  words  in  the  security  section  are 
"reasonable",  "appropriate",  and  "reasonably  anticipated".  Trustees 
are  obligated  to  maintain  security,  but  they  are  not  expected  to 
provide  absolute  protection  against  all  possible  security  breaches. 
Nevertheless,  casual  security  measures  will  not  meet  the  statutory 
standard.  Each  trustee  must  be  sure  that  it  has  an  adequate  secu- 
rity plan  and  that  its  employees  have  been  trained  to  recognize  the 
special  obligations  that  attach  to  protected  health  information. 

The  statutory  requirements  have  intentionally  been  stated  very 
broadly.  Section  5125  requires  the  Secretary  to  develop  and  dis- 
seminate security  guidelines.  It  is  not  appropriate  to  specify  appro- 
priate security  methods  in  legislation  because  technology  is  too  var- 
ied and  too  dynamic.  Additionally,  different  tjrpes  of  technology  call 
for  different  types  and  degrees  of  security.  For  example,  the  same 
security  measures  may  not  be  appropriate  for  information  main- 
tained on  paper  as  for  information  maintained  on  computers.  Paper 
records,  computerized  records,  and  networked  records  all  face  dif- 
ferent types  of  threats. 

The  Secretary's  guidelines  can  take  all  these  factors  into  account. 
They  can  consider  the  technical  capabilities  of  record  systems,  the 
costs  of  security  measures,  the  need  for  training  of  personnel,  and 
the  value  of  audit  trails  in  computerized  record  systems.  Specific 
security  measures,  such  as  audit  trails,  are  especially  valuable  for 
computer  systems  that  have  the  capability  of  recording  the  nec- 
essary data.  It  will  be  appropriate  for  the  Secretary  to  direct 
that  new  computer  systems  should  include  the  ability  to  maintain 
audit  trails  at  some  point  in  the  future. 

Another  key  security  element  is  the  need  for  sufficient  resources 
so  that  security  goals  can  be  accomplished.  For  example,  it  is  nice 
to  have  a  computer  system  that  maintains  audit  trails  monitoring 
internal  access  to  protected  health  information.  But  if  the  audit 
trails  are  simply  recorded  without  any  review  of  suspicious  activity. 


An  audit  trail  would  record  the  date,  identity,  and  information  access  for  an  internal  use. 
Access  by  a  hospital  employee  to  a  hospital  patient  computer  system  would  be  recorded  through 
an  audit  trail.  An  audit  trail  is  different  than  an  accounting  for  disclosure.  An  accounting  is 
appropriate  when  protected  health  information  is  disclosed  to  a  person  other  than  the  trustee, 
an  officer  or  employee  of  the  trustee,  or  an  affiliated  person  of  the  trustee. 
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I  then  there  is  little  meaningful  security. The  adequacy  of  a  trust- 
[  ee's  security  may  be  measured  not  only  by  the  technical  measures 
in  place  to  prevent  or  monitor  misuse  but  also  by  the  effective  use 
made  of  those  security  measures.  A  trustee  who  records  misuse  of 
information  but  who  rarely  or  never  investigates  suspicious  activity 
will  not  meet  the  statutory  test  of  reasonable  and  appropriate 
measures.  The  Secretary  can  and  should  address  the  resource  issue 
in  more  detail. 

Security  measures  must  protect  against  reasonably  anticipated 
threats.  The  Committee  cautions,  however,  against  treating  secu- 
rity as  simply  the  need  to  prevent  hackers  or  outsiders  from  obtain- 
ing access  to  protected  health  information.  That  is  only  one  ele- 
ment. There  is  evidence  to  support  the  belief  that  an  equal  or 
greater  threat  comes  from  misuse  of  information  by  those  who  have 
access  to  the  information  during  the  course  of  their  routine  activi- 
ties. Insider  abuse  is  a  characteristic  of  virtually  every  computer- 
ized system  containing  personal  information,  and  it  may,  in  fact, 
constitute  the  greatest  security  threat.  Adequate  security  for  pro- 
tected health  information  must  ofFer  reasonable  protection  against 
insider  abuse. 

SECTION  5131.  GENERAL  LIMITATIONS  ON  USE  AND  DISCLOSURE 

Section  5131  sets  out  general  rules  on  the  use  and  disclosure  of 
protected  health  information  by  all  health  information  trustees.  An 
internal  use  of  protected  health  information  by  a  trustee  is  permis- 
sible if  the  use  is  for  a  purpose  that  is  compatible  with  and  directly 
related  to  the  purpose  for  which  the  information  was  collected  or 
received  by  the  trustee.  The  standard  is  not  intended  to  interfere 
with  essential  uses  of  information  in  support  of  the  activities  for 
which  a  trustee  obtained  protected  health  information.  It  is  in- 
tended to  impose  a  strict  prohibition  against  extraneous  or  unnec- 
essary uses  by  a  trustee  and  the  trustee's  employees  and  affiliated 
persons. 

The  language  for  assessing  uses  is  based  in  part  on  the  experi- 
ence of  the  federal  government  with  the  Privacy  Act  of  1974. 103  The 
Privacy  Act  contains  fair  information  practices  that  regulate  the 
collection,  maintenance,  use,  and  disclosure  of  personal  records  by 
federal  agencies.  Internal  uses  under  the  Privacy  Act  are  usually 
governed  by  subsection  (b)(1),  which  permits  the  disclosure  of  per- 
sonal information  to  officers  and  employees  of  the  agency  maintain- 
ing the  record  who  have  a  need  for  the  record  in  the  performance 
of  their  duties.  This  standard  has  long  been  identified  as  impos- 
ing virtually  no  barrier  to  internal  use  of  personal  records. The 
Committee  disagrees  with  the  way  that  this  provision  has  been  im- 


'<*'See,  e.g.,  General  Accounting  Office,  "National  Crime  Information  Center:  Legislation 
Needed  to  Deter  Misuse  of  Criminal  Justice  Information"  (GAO/T-GGD-93-41).  GAO  found  that 
some  of  the  audit  trails  maintained  as  part  of  the  NCIC  system  were  reviewed  infrequently  and 
that  abuse  of  information  recorded  in  the  audit  trails  was  never  identified  as  a  result.  See  also 
OTA  Medical  Privacy  Report  at  54. 

'02  Some  technical  measures  that  provide  a  degree  of  security — such  as  encryption — may  be 
ineffective  against  insiders  who  have  access  to  information  before  it  is  encrypted  or  after  it  is 
decrypted.  Encryption  may  provide  a  higher  level  of  security  against  external  threats. 

'03  5U.S.C.  552a  (1986). 

'«45  U.S.C.  §552a(b)(l)  (1986). 

See,  e.g.,  Privacy  Protection  Study  Commission,  'The  Privacy  Act  of  1974:  An  Assessment" 
69  (1977)  (Appendix  4  to  the  Report  of  the  Privacy  Protection  Study  Commission). 
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plemented.  Based  on  the  experience  under  the  Privacy  Act,  such  a 
loose  standard  for  internal  uses  of  protected  health  information  has 
been  expressly  rejected. 

The  Committee  has  also  reviewed  the  Privacy  Act's  routine  use 
provision  that  allows  federal  agencies  administrative  flexibility  to 
define  permissible  disclosures.  A  routine  use  is  the  disclosure  of  a 
record  for  a  purpose  that  is  compatible  with  the  purpose  for  which 
the  record  was  collected,  This  standard  has  also  been  interpreted 
much  too  loosely  by  the  agencies.  Most  agencies  view  the  routine 
use  provision  as  permitting  virtually  any  disclosure  just  as  long  as 
the  proper  notice  has  been  published  in  the  Federal  Register.  This 
view  of  the  law  is  incorrect.  The  principal  effect  has  been  to  treat 
the  routine  use  provision  as  a  procedural  rather  than  a  substantive 
barrier  to  disclosure.  This  was  not  the  original  intent  of  the  Privacy 
Act,  and  there  are  many  existing  routine  uses  that  are  inconsistent 
with  both  the  letter  and  the  intent  of  the  Privacy  Act. 

The  Committee  recognizes  that  it  would  be  an  impossible  task  to 
set  forth  in  the  legislation  all  appropriate  internal  uses  for  pro- 
tected health  information  by  all  trustees.  A  general  statutory 
standard  is  required.  The  "need  to  know"  standard  used  in  the  Pri- 
vacy Act  was  rejected  as  ineffectual.  The  Committee  also  rejected 
the  simple  compatibility  test  of  the  Privacy  Act's  routine  use  defini- 
tion because  it  has  proved  in  practice  to  be  unacceptably 
unrestrictive. 

Instead,  the  bill  permits  the  use  of  protected  health  information 
only  for  a  purpose  that  is  compatible  with  and  directly  related  to 
the  purpose  for  which  the  information  was  collected  or  was  received 
by  the  trustee.  Each  person  or  institution  that  becomes  a  health  in- 
formation trustee  must  apply  this  test  to  its  activities.  The  key  con- 
cept is  that  of  "purpose".  A  trustee's  purpose  must  be  assessed  on 
the  basis  of  the  reasons  the  protected  health  information  was  col- 
lected or  received.  Thus,  a  person  who  becomes  a  health  informa- 
tion trustee  by  virtue  of  a  disclosure  under  emergency  cir- 
cumstances would  have  a  very  narrowly  constrained  purpose.  Only 
those  uses  that  are  compatible  with  and  directly  related  to  alleviat- 
ing emergency  circumstances  would  be  permitted.  Other  uses  are 
unrelated  to  the  purpose  of  the  trustee  and  would  be  prohibited, 
but  internal  uses  that  are  essential  to  the  management  of  the 
trustee  are  acceptable. 

In  contrast,  a  health  care  provider  would  have  a  much  more  ex- 
pansively defined  purpose.  For  example,  in  a  hospital,  the  use  of 
protected  health  information  to  support  the  provision  of  health  care 
would  obviously  be  permitted.  Other  uses  that  are  necessary  for 
the  functioning  of  the  hospital,  for  routine  management  activities, 
for  quality  assurance  activities,  or  for  carrjdng  out  mandates  under 
law  fall  within  the  purpose  for  which  the  information  was  collected. 
Teaching,  training,  and  research  activities  also  can  fall  within  a 
hospital's  purpose. 

In  order  to  clarify  the  full  range  of  permissible  uses,  the  bill  spe- 
cifically provides  that  a  trustee  may  use  information  for  a  purpose 
for  which  the  trustee  is  authorized  to  make  a  disclosure.  For  exam- 
ple, a  hospital  can  disclose  information  to  an  external  health  re- 


•06  5  U.S.C.  §552a(aX7)  (1986). 


'  searcher  who  has  met  the  standards  of  the  health  research  section. 
I  The  hospital  may  permit  a  researcher  who  is  an  employee  to  have 
!  the  same  access  under  the  same  conditions.  Similarly,  internal 
oversight  uses  that  are  the  same  as  authorized  external  oversight 
disclosures  are  permitted  under  the  same  conditions. 

One  especially  troublesome  area  involves  the  use  of  patient 
records  for  direct  marketing.  External  disclosures  for  marketing 
I  are  not  authorized  anywhere  in  the  Fair  Health  Information  Prac- 
'  tices  Part.  Use  by  a  hospital,  for  example,  of  its  own  patient  list 
'  for  its  own  direct  marketing  activities  would  have  to  meet  the  stat- 
I  utory  test  of  compatible  with  and  directly  related  to  the  hospital's 
j  purpose.  Some  uses  will  fall  within  the  test.  For  example,  contact- 
ing patients  by  mail  to  inform  them  that  a  provider  has  moved  its 
location  meets  the  test.^o? 

Most  other  uses  of  patient  information  for  marketing  are  likely 
to  be  inconsistent  with  the  standard.  The  sale  of  patient  lists  of 
any  type  would  be  a  disclosure  and  would  be  expressly  prohibited. 
A  mailing  conducted  by  a  trustee  for  a  third  party  also  would  fail 
I  to  meet  the  use  test  (*This  hospital  urges  its  patients  to  buy  safe 
I  automobiles  such  as  those  manufactured  by  the  XYZ  Company^') 
though  there  was  technically  no  disclosure  to  the  third  party.  This 
'  would  simply  represent  a  circumvention  of  the  disclosure  restric- 
tion. 

Use  of  patient  specific  information  for  marketing  activities  was 
troubling  for  health  industry  witnesses  as  well.  At  a  hearing  on 
H.R.  4077,  Frederic  Entin,  Senior  Vice  President  and  of  the  Amer- 
ican Hospital  Association  discussed  the  marketing  issue  in  more 
depth: 

We  draw  the  line  at  selling  of  lists.  That  is  something 
that  should  not  occur.  We  have  various  advisories  and  doc- 
uments that  have  been  developed  over  the  years  that  we 
disseminate  to  our  members  with  regard  to  the  overall 
question  of  confidentiality  of  records  and  use  of  records  for 
a  variety  of  purposes. 

I  have  reviewed  those.  I  can't  say  that  we  have  a  direct 
position  that  opposes  marketing  in  general.  One  could  jus- 
tify use  of  patient  information  in  a  hospital  to  the  extent 
that  the  hospital  is  using  that  list  of  patients  to  inform 
them  of  services  that  are  beneficial  to  members  of  the  com- 
munity. 

To  go  beyond  that  and  to  target  patients  for  particular 
services  because  of  their  disease  condition  is  something 
which  doesn't  need  to  be  asked.  It  is  a  very  difficult  prob- 
lem and  you  have  to  balance,  I  would  suggest,  the  need  to 


'O'How  the  mail  is  sent  may  make  a  difference.  The  maiUng  of  a  postcard  can  involve  the 
disclosure  of  patient  information.  For  example,  a  cUnic  that  exclusively  treats  patients  for  sexu- 
ally transmitted  diseases  would  certainly  be  ill  advised  to  sent  a  postcard  to  all  former  patients 
announcing  a  new  location.  The  fact  that  a  particular  individual  was  a  patient  of  the  clinic  is 
protected  health  information,  and  the  postcard  might  be  read  by  a  postal  worker  or  any  another 
members  of  the  individual's  househola.  The  same  notice  sent  in  an  unmarked  envelope  would 
not  normally  constitute  a  disclosure. 

There  is  nothing  in  the  Act  that  prevents  the  use  of  a  postcard  to  contact  a  patient  to  notify 
the  patient  about  an  appointment  if  the  patient  has  been  notified  of  the  practice  and  has  not 
objected.  A  physician  may  ask  if  a  patient  objects  to  being  notified  by  postcard  and  follow  the 
patient's  preference. 
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provide  useful  information  to  the  community  against  the 
right  to  privacy.  1*^8 

Dr.  Donald  Lewers,  a  Member  of  the  Board  of  Trustees  of  the  ' 
American  Medical  Association  and  another  witness  at  the  hearing,  [ 
agreed  with  Mr.  Entin: 

I  think  we  agree.  We  still  have  to  fall  back  to  where  we 
were  as  far  as  unique  identification  and  associating  that 
individual  with  release  of  that  information.  Sending  an  in- 
dividual a  letter  is  one  thing  but  if  you  are  using  that  in- 
formation in  identifying  that  patient,  that  is  wrong. 

There  are  a  lot  of  times  where  you  need  to  get  disease- 
specific  information  for  tracing  issues,  certain  diseases 
where  you  may  have  to  go  into  that.  But  to  market  is  a 
little  different  area  that  we  have  to  be  careful  about,  and 
I  would  agree  with  the  previous  speaker  on  that.109 

Kathleen  Frawley  from  the  American  Health  Information  Man- 
agement Association  offered  an  equally  strong  objection  to  the  use 
of  information  for  marketing:  "I  think  that  any  use  of  an  individ- 
ual's information  for  direct  marketing  purposes  should  be  author- 
ized by  that  individual.  I  think  that  we  have  to  be  very  careful 
about  those  kinds  of  practices." 

All  of  these  witnesses  agreed  that  marketing  uses  of  specific  pa- 
tient information  is  improper.  Selecting  patients  for  mailings  or 
similar  marketing  activities  based  on  diagnoses,  types  of  treatment, 
prescriptions,  or  similar  information  is  inappropriate.  Merging  pa- 
tient lists  with  other  consumer  mailing  lists  or  other  consumer  pro- 
files is  similarly  inappropriate. 

The  intent  of  the  legislation  is  to  draw  a  very  tight  line  around 
the  use  of  any  protected  health  information  by  health  information 
trustees  for  marketing.  As  Dr.  Lewers  pointed  out,  patient  informa- 
tion may  be  needed  for  tracing  certain  diseases.  ^  ^  ^  That  would  obvi- 
ously be  a  treatment  activity  and  does  not  constitute  marketing. 
Other  contacts  with  patients  also  may  constitute  treatment  and 
may  not  be  subject  to  restriction  in  this  way.  In  general,  however, 
any  doubts  about  the  use  of  protected  health  information  for  mar- 
keting activities  should  be  resolved  by  den3dng  use  of  the  informa- 
tion. Any  use  of  patient-specific  information  for  marketing  is  sim- 
ply inappropriate.  The  establishment  or  sale  of  mailing  list  or 
consumer  profiles  containing  diagnoses,  health  information,  drug 
usage,  or  similar  information  is  offensive  and  an  invasion  of  pri- 
vacy. 

Another  general  restriction  on  use  and  disclosure  is  the  require- 
ment that  a  use  or  disclosure  of  protected  health  information  by  a 
health  information  trustee  be  limited,  when  practicable,  to  the  min- 
imum amount  of  information  necessary  to  accomplish  the  purpose 
for  which  the  information  is  used  or  disclosed.  This  applies  to  all 


'08H.R.  4077  Hearings  (May  4,  1994). 

'09  Id. 

"Old. 

"«Id. 
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uses  and  to  all  permitted  disclosures,  including  disclosures  made 
pursuant  to  discovery,  subpoena,  and  warrant. 

The  Secretary  is  required  to  issue  guidelines  to  implement  this 
restriction,  and  the  guidelines  must  t^e  into  account  the  technical 
capabilities  of  the  records  systems  used  to  maintain  protected 
health  information  and  the  costs  of  limiting  uses  and  disclosures. 
These  are  the  principal  factors  to  be  considered  in  maldng  prac- 
ticability determinations.  For  example,  it  is  likely  to  be  easier  to 
be  much  more  specific  when  providing  access  to  computerized 
records  than  when  providing  access  to  paper  records.  A  well-pro- 
grammed computer  can  automatically  permit  each  user  to  see  only 
that  information  that  is  needed  to  accomplish  the  user's  purpose. 
This  type  of  restricted  access  can  be  prohibitively  expensive  for  rou- 
tine activities  when  records  are  maintained  on  paper,  and  the  Sec- 
retary's guidance  should  take  this  into  account.  Other  factors  that 
are  relevant  to  practicability  determinations  are  the  sensitivity  of 
the  information     and  the  nature  of  the  use  or  disclosure.  ^^'^ 

SECTION  5132.  AUTHORIZATIONS  FOR  DISCLOSURE  OF  PROTECTED 
HEALTH  INFORMATION 

Section  5132  provides  that  any  person  who  seeks  from  an  indi- 
vidual an  authorization  for  the  disclosure  of  protected  information 
must  provide  the  individual  with  a  statement  of  the  uses  for  which 
the  person  intends  the  information  and  of  the  disclosures  that  the 
person  intends  to  make  of  the  information.  A  statement  that  the 
person  may  disclose  the  information  to  any  person  and  for  any  pur- 
pose is  not  specific  enough  to  meet  the  requirement  of  the  section. 
The  purpose  is  to  inform  the  individual  how  the  information  will 
be  used  or  disclosed  in  fact  and  to  restrict  the  recipient  from  using 
or  disclosing  the  information  without  limit. 

The  statement  of  uses  of  disclosures  must  be  provided  to  the  in- 
dividual before  the  authorization  is  executed,  and  the  statement 
must  be  on  a  form  that  is  separate  from  the  authorization.  The  rea- 
son for  the  separate  form  is  to  allow  an  individual  to  authorize  dis- 
closure without  disclosing  the  reason  to  the  trustee.  This  may  pro- 
tect a  privacy  or  other  interest  of  the  individual. 

The  statement  of  uses  and  disclosures  is  binding  on  the  person 
who  sought  the  authorization,  and  the  person  is  subject  to  suit 
under  the  civil  actions  section  with  respect  to  any  failure  to  comply. 


"2  See,  e.g.,  Hawaii  Psychiatric  Society  v.  Ariyoshi,  481  F.  Supp.  1028  (D.  Hawaii  1979) 
["There  has  oeen  no  showing,  and  the  court  does  not  beUeve  that  there  could  be  a  showing,  that 
the  issuance  of  warrants  to  search  and  seize  the  therapeutic  notes,  patient  history  forms,  diag- 
noses, and  other  confidential  medical  records  of  a  psycniatrist,  absent  even  a  suspicion  that  an 
individual  provider  has  defrauded  the  State  or  failed  to  maintain  records,  is  necessary  to  serve 
any  of  the  State  interests  put  forward."  Id.  at  1041.] 

"3  See,  e.g.,  Hawaii  Psychiatric  Society  v.  Ariyoshi,  481  F.  Supp.  1028  (D.  Hawaii  1979)  ["The 
private  information  disclosed  to  the  State  in  Whalen  consisted  of  the  patient's  name,  age,  ad- 
dress, and  use  of  a  certain  drug.  Here,  the  degree  and  character  of  the  disclosure  is  far  more 
intrusive.  The  psychiatrist's  records  may  include  the  patient's  most  intimate  thoughts  and  emo- 
tions, as  well  as  descriptions  of  conduct  that  may  be  embarrassing  or  illegal."  Id.  at  1041]. 

'"♦In  Commonwealth  v.  Korbin,  479  N.E.2d  674  (1985),  the  Supreme  Judicial  Court  of  Massa- 
chusetts found  that  a  grand  jury  subpoena  issued  in  connection  with  an  investigation  of  Medic- 
aid fraud  for  the  complete  records  of  a  psychiatrist  was  overly  broad  and  that  the  details  of  a 
patient's  problems  are  not  necessary  to  an  evaluation  of  whether  a  psychiatrist  is  rendering 
services  in  the  amount  claimed.  The  court  imposed  limits  on  the  type  of  information  that  could 
be  disclosed.  The  result  in  this  case — and  in  similar  cases  decided  elsewhere — is  fully  consistent 
with  the  poUcy  of  the  Fair  Health  Information  Practices  Part  that  disclosures  be  limited  to  the 
minimxim  amount  of  information  necessary  to  accomplish  the  purpose.  In  fact,  the  case  is  an 
excellent  example  of  the  minimum  disclosure  rule  in  operation. 
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In  order  to  assist  in  the  execution  of  authorizations  for  standard  i 
purposes,  the  Secretary  is  required  to  develop  and  disseminate 
model  statements  of  intended  uses  and  disclosures.  The  Committee 
anticipates  that  the  Secretary  will  develop  model  statements  for 
life  insurance,  malpractice  litigation,  and  other  routine  activities.  A 
person  who  uses  the  Secretar^s  model  statement  may  so  inform  in- 
dividuals (as  provided  in  the  Secretar3r*s  rules)  and  thereby  offer  a 
degree  of  reassurance  that  information  will  be  properly  used. 

A  health  information  trustee  may  disclose  protected  health  infor- 
mation pursuant  to  an  authorization  executed  by  the  individual 
who  is  the  subject  of  the  record.  Any  individual  may  authorize  a 
health  information  trustee  to  disclose  protected  health  information 
to  any  person.  There  are  no  restrictions  in  the  legislation  on  the 
class  of  recipients  or  on  how  those  recipients  may  use  the  informa- 
tion (other  than  the  required  statement  of  uses  and  disclosures). 
With  the  approval  of  the  subject  of  the  record,  information  may  be 
disclosed  to  anyone  and  used  in  any  fashion.  However,  a  person 
who  is  entitled,  qualified,  or  potentially  qualified  to  receive  pro- 
tected health  information  pursuant  to  the  statutorily  authorized 
disclosures  may  not  use  the  authorization  process  to  avoid,  evade, 
or  diminish  any  of  the  requirements  or  restrictions  in  the  Part.  For 
example,  a  health  researcher  may  not  use  the  authorization  process 
to  evade  the  requirement  that  a  health  research  project  be  ap- 
proved by  an  institutional  review  board. 

There  is  nothing  in  the  Fair  Health  Information  Practices  Part 
that  requires  a  health  information  trustee  to  comply  with  an  au- 
thorization from  an  individual.  A  trustee  may,  in  its  discretion, 
refuse  to  make  a  requested  disclosure  that  is  not  otherwise  re- 
quired by  law.  Of  course,  a  trustee  may  not  refuse  to  comply  with 
an  individual's  request  for  a  copy  of  his  or  her  own  record  under 
section  5121.  A  trustee  may  impose  additional  reasonable  require- 
ments on  the  authorization  process.  For  example,  a  trustee  may 
impose  its  own  reasonable  identification  requirements  for  author- 
izations, including  notarization  if  appropriate.  There  may  be  other 
procedural  rules  regulating  the  time,  place,  and  manner  of  presen- 
tation of  authorizations.  In  addition,  a  trustee  is  not  restricted  in 
its  ability  to  charge  a  fee  for  disclosure  or  reproduction  of  records 
pursuant  to  an  authorization. 

A  health  information  trustee  may  disclose  protected  health  infor- 
mation pursuant  to  an  authorization  that  has  been  executed  by  the 
individual  who  is  subject  of  the  information  and  that  meets  eight 
requirements.  First,  the  authorization  must  be  signed  and  dated  on 
the  date  of  the  signature.  Normally,  the  authorization  will  be  in 
writing,  but  electronic  authorizations  may  be  used  in  the  future, 
and  there  is  no  requirement  for  a  written  document. 

Second,  an  authorization  may  not  be  included  on  a  form  used  to 
authorize  or  facilitate  the  provision  of  or  pa5anent  for  health  care. 
Disclosures  for  payment  are  provided  for  elsewhere  in  the  Part, 
and  there  may  be  no  routine  need  for  authorizations  for  this  pur- 
pose. The  requirement  for  a  separate  form  is  to  prevent  the  unwit- 
ting execution  of  authorizations  for  other  purposes  while  seeking 
pajrment  of  claims.  For  example,  this  requirement  would  prevent 
an  unscrupulous  person  from  obtaining  an  authorization  for  the 
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use  of  patient  information  for  direct  marketing  on  a  claims  form  or 
other  routine  document. 

Third,  an  authorization  must  be  specifically  named  or  generically 
described  in  the  authorization  form.  An  authorization  that  identi- 
fies any  health  care  provider  is  acceptable. 

Fourth,  the  person  to  whom  the  information  is  to  be  disclosed 
must  be  specifically  named  or  generically  described  in  the  author- 
ization form  as  a  person  to  whom  the  information  may  be  disclosed. 
An  authorization  form  that  identified  the  '^bearer"  is  not  sufficient 
to  meet  the  requirements  of  this  section.  It  is  acceptable  to  identify 
a  company  (e.g.,  "Blue  Cross")  or  law  firm — rather  than  a  named 
individual  at  the  company  or  firm — as  the  recipient. 

Fifth,  the  authorization  must  include  an  acknowledgement  that 
the  individual  has  received  a  statement  of  uses  and  disclosures. 
This  will  serve  as  a  notice  to  the  individual  that  he  or  she  should 
have  received  such  a  statement. 

Sixth,  the  information  to  be  disclosed  must  be  described  in  the 
authorization.  Ideally,  an  authorization  will  list  a  particular  item, 
such  as  a  pathology  report  or  discharge  summary.  A  more  general 
description  might  be  "all  records  related  to  a  specific  hospitaliza- 
tion." An  authorization  may  request  the  release  of  any  or  all  infor- 
mation about  the  individual,  although  it  is  preferable  that  a  re- 
quest be  more  narrowly  focused.  In  the  end,  this  will  be  up  to  the 
individual.  A  trustee  who  receives  a  request  for  all  information 
may,  of  course,  choose  to  release  a  subset  of  that  information.  For 
example,  a  provider  of  psychiatric  services  may  require  a  more  spe- 
cific authorization  for  the  disclosure  of  mental  health  treatment 
notes. 

Seventh,  the  authorization  must  be  presented  to  the  trustee  in 
a  timely  fashion.  For  an  authorization  that  permits  disclosure  to  a 
health  care  provider,  health  benefit  plan,  health  oversight  agency, 
public  health  authority,  health  researcher,  or  person  who  provides 
counseling  or  social  services,  an  authorization  must  be  presented  to 
the  trustee  within  one  year  of  the  date  it  was  signed  by  the  individ- 
ual. An  authorization  directed  at  any  other  person  is  only  good  if 
presented  within  thirty  days  of  signature. 

Eighth,  a  disclosure  pursuant  to  an  authorization  must  be  made 
in  a  timely  fashion.  This  means  that  the  disclosure  must  occur  be- 
fore any  date  or  event  (if  any)  specified  in  the  authorization  upon 
which  an  authorization  expires.  A  trustee  who  received  an  author- 
ization in  a  timely  fashion  has  six  months  to  comply  with  the  dis- 
closure request.  Thus,  if  an  authorization  that  expires  on  March  2 
is  received  by  a  trustee  on  March  1,  the  trustee  may  comply  with 
the  request  even  though  the  information  will  be  disclosed  after 
March  2.  In  this  case,  the  trustee  could  make  the  disclosure  any- 
time before  September  1.  This  flexibility  is  a  recognition  that  it  will 
take  a  trustee  time  to  identify,  retrieve,  and  copy  records. 

An  authorization  may  be  revoked  or  amended  at  any  time  by  the 
individual  who  executed  it.  There  are  two  exceptions.  Where  a  dis- 
closure was  authorized  to  permit  validation  of  expenditures  based 
on  health  condition  by  a  government  authority,  the  individual  may 
not  revoke  authorization.  It  would  be  inequitable  for  an  individual 
to  receive  a  pajnnent  contingent  on  health  status  and  then  to  allow 
the  individual  to  deny  access  to  the  records  needed  to  verify  that 
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status.  Second,  where  action  has  been  taken  in  reliance  on  the  au-  ; 
thorization,  the  individual  cannot  revoke  the  authorization  after  f 
the  fact.  A  health  information  trustee  who  discloses  protected  k 
health  information  relying  on  an  authorization  that  has  been  re-^ 
voked  shall  not  be  liable  if  the  reliance  was  in  good  faith,  the  trust-  !> 
ee  had  no  notice  of  the  revocation,  and  the  disclosure  was  other- f 
wise  lawful.  i 

There  is  a  special  provision  for  authorized  disclosures  pursusmt  i 
to  subpoena,  warrant,  or  search  warrant.  In  many  instances,  sec-  f 
tion  5140  requires  notice  to  the  individual  before  protected  health 
information  may  be  disclosed  pursuant  to  a  subpoena  or  warrant. 
If  an  individual  consents  to  disclosure  pursuant  to  a  subpoena  or  | 
warrant,  then  there  is  no  reason  to  comply  with  the  notice  require- 
ment. In  this  case,  a  trustee  may  disclose  protected  health  informa- 
tion pursuant  to  an  authorization  and  in  response  to  a  subpoena 
or  warrant  if  the  authorization  specifically  references  the  subpoena, 
warrant,  or  search  warrant  and  if  the  authorization  otherwise  1 
meets  the  requirements  of  the  Part.  Basically,  it  is  acceptable  for 
a  trustee  to  comply  with  a  warrant  under  circumstances  where  the  \ 
individual  has  specifically  consented  to  the  disclosure  pursuant  to  1 
specified  compulsory  process.  | 

In  general,  the  Committee  expects  that  execution  of  authoriza-  i 
tions  will  become  relatively  rare  events  for  most  patients.  Today, 
every  insurance  claim  form  contains  an  authorization  of  disclosure. 
These  authorizations  tend  to  be  extremely  broad.  Their  purpose  is 
to  permit  maximum  disclosure  with  minimum  restriction  and  li- 
ability. They  protect  only  the  person  who  seeks  the  authorization 
and  not  the  person  who  is  authorizing  the  disclosure.  Few  patients 
are  actually  aware  of  the  presence  or  scope  of  the  authorizations. 
Even  fewer  are  in  a  position  to  argue  or  amend  any  authorization, 
and  a  patient  who  seeks  to  make  a  change  in  the  authorization 
risks  losing  insurance  coverage  altogether. 

The  Fair  Health  Information  Practices  Part  lays  out  a  different  ' 
approach.  Rather  than  rely  on  the  fiction  of  informed  consent  for 
routine  disclosures  for  treatment  or  payment,  these  disclosures  are 
authorized  in  law  under  fair  conditions  that  protect  both  patient 
and  trustee.  This  approach  avoids  loopholes  whereby  information  is 
provided  to  some  with  the  consent  of  the  individual,  but  the  infor- 
mation loses  any  legal  protections  or  restriction  in  the  hands  of  the 
recipient.  By  using  the  Part's  process  for  disclosure,  information  re- 
mains subject  to  restriction  in  the  hands  of  the  recipients  because 
the  statutorily  designated  recipients  remain  health  information 
trustees.  This  same  protection  is  not  available  today,  and  it  cannot 
be  fully  realized  under  a  system  that  relies  solely  on  "informed*' 
consent.  The  result  is  that  patients  received  clearer,  better,  and 
more  comprehensive  protection  for  sensitive  health  information. 
Others  who  require  health  information  to  carry  out  their  activities 
will  be  able  to  obtain  the  information  in  a  simpler  and  less  expen- 
sive manner  because  authorizations  will  no  longer  be  needed  for 
routine  functions.  The  price  for  this  convenience  is  a  greater  duty 
to  protect  the  information  that  is  obtained  and  legal  liability  for 
failure  to  use  the  information  in  accordance  with  the  law.  This  is 
a  workable,  fair,  and  balanced  approach  that  makes  patients  and 
trustees  better  off  and  reduces  cost. 
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The  Committee  recognizes  that  there  will  be  some  individuals  for 
whom  the  statutory  authorizations  for  payment  or  treatment  are 
troublesome.  Traditionally,  some  individuals  have  sought  health 
care  in  a  manner  that  avoids  disclosure  to  their  insurance  company 
or  employer.  For  these  patients,  there  is  protection  available  under 
the  Fair  Health  Information  Practices  Part.  Section  5131(e)  permits 
an  individual  to  restrict  use  or  disclosure  of  protected  health  infor- 
mation to  a  greater  degree  than  would  otherwise  be  required. 
I  Where  an  individual  enters  into  a  formal  agreement  with  a  trustee 
I  for  such  restrictions,  the  trustee  is  bound  by  the  limitations  and 
I  may  be  sued  for  failure  to  comply.  Thus,  a  patient  who  insists  on 
I  pa3dng  cash  for  care  so  that  his  insurer  does  not  know  about  the 
treatment  can  avoid  disclosure  to  the  insurer  pursuant  to  the  pro- 
I  visions  that  permit  disclosure  to  benefit  plans.  Section  5131(e)  re- 
!  quires  a  formal  agreement  so  that  there  is  a  clear  record  of  the  re- 
j  strictions  that  both  parties  have  negotiated. 

1  Section  5193(c)  includes  a  transition  provision  for  an  authoriza- 
j  tion  for  the  disclosure  of  protected  health  information  that  was  exe- 
cuted before  the  effective  date.  If  the  authorization  is  otherwise 
I  valid  under  state  or  applicable  law  won  the  effective  date,  that  au- 
thorization  remains  valid  for  a  year  or  until  the  date  or  event  when 
it  would  otherwise  expire,  whichever  comes  first.  During  this  tran- 
sition period,  valid,  pre-existing  authorizations  do  not  have  to  meet 
the  standards  of  section  of  5132  for  authorizations. 

SECTION  5133.  TREATMENT,  PAYMENT,  AND  OVERSIGHT 

Section  5133  establishes  the  basic  rules  and  procedures  that  gov- 
ern disclosures  for  treatment,  payment,  and  oversight.  The  health 
information  trustees  who  are  eligible  to  make  disclosures  under 
this  section  are  health  benefit  plan  sponsors,  health  care  providers, 
health  oversight  agencies,  and  health  information  service  organiza- 
tions. These  trustees  may  disclose  protected  health  information  to 
a  health  benefit  plan  sponsor,  health  care  provider,  or  health  over- 
sight agency  for  one  of  three  authorized  purposes. 

First,  disclosure  may  be  made  for  the  purpose  of  providing  health 
care  as  long  as  a  protected  individual  who  is  a  subject  of  the  infor- 
mation has  not  previously  objected  to  the  disclosure  in  writing. 
This  permits  a  physician  to  consult  with  another  physician  about 
the  treatment  of  a  particular  individual  without  the  need  for  spe- 
cific consent.  In  the  overwhelming  majority  of  circumstances,  this 
type  of  consultation  is  unobjectionable.  A  patient  who  has  a  con- 
cern can,  however,  make  a  written  objection,  and  the  trustee  is 
bound  to  heed  the  objection. 

Disclosures  are  not  limited  to  those  that  pertain  to  the  treatment 
of  the  subject  of  the  records.  A  disclosure  for  treatment  can  be 
made  in  connection  with  the  treatment  of  any  individual.  For  ex- 
ample, a  physician  in  a  hospital  who  is  treating  a  patient  with  a 
rare  disease  may,  in  the  absence  of  an  objection,  examine  the 
records  of  other  hospital  patients  with  the  same  disease.  However, 
obtaining  access  for  treatment  does  not  authorize  the  physician  to 
disclose  identifiable  information  about  those  other  patients  to  the 
current  patient.  That  type  of  disclosure  would  be  not  be  authorized 
under  this  section  or  under  any  other  section  of  the  part. 
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Second,  disclosures  may  be  made  for  the  purpose  of  providing  for 
the  payment  for  h«5alth  care  furnished  to  an  individual.  The  author- 
ity to  make  these  disclosures  without  the  express  consent  of  a  pa-  , 
tient  is  a  key  element  of  the  new  approach  toward  disclosure  taken  | 
in  the  Fair  Health  Information  Practices  Part.  See  the  earlier  dis-  ' 
cussion  about  the  shortcomings  of  informed  consent.  i 

Individuals  with  special  concerns  or  who  simply  do  not  want  I 
these  disclosures  made  without  their  express  consent  have  the  tools  | 
under  the  legislation  to  make  alternate  arrangements.  In  addition,  ' 
the  authority  to  make  disclosures  for  payment  is  not  unlimited.  It  j 
remains  subject  to  the  general  rule  that  disclosures  must  be  limited 
to  the  minimum  amount  of  information  necessary  to  accomplish  the  \ 
purpose  for  which  the  disclosure  is  being  made.  This  is  a  signifi- 
cant limitation.  Under  current  practice,  individuals  are  tjrpically 
asked  to  sign  consent  forms  that  permit  disclosure  or  any  or  all  in- 
formation. Under  that  authority,  an  insurance  claim  could  include  i 
an  entire  medical  record.  Under  the  authority  in  section  5133,  it 
will  no  longer  be  possible  to  disclose  an  entire  record  in  connection  ' 
with  a  claim  for  current  treatment.  Only  the  information  necessary  I 
to  process  the  claim  can  be  disclosed.  In  this  case,  the  provider  has  1 
authority  to  disclose  without  express  consent,  but  the  provider  also  I 
has  responsibility  to  limit  the  disclosure. 

SECTION  5134.  NEXT  OF  KIN  AND  DIRECTORY  INFORMATION  | 

Section  5134  permits  health  information  trustees  who  are  hesilth 

care  providers  or  who  received  information  pursuant  to  the  emer-  ! 

gency  circumstances  section  may  make  disclosures  to  a  patient's  I 

next  of  kin  or  of  directory  information.  For  each  of  these  disclo-  i 

sures,  there  are  strict  limits  on  the  type  of  information  that  can  be  i 

disclosed  and  the  circumstances  of  the  disclosure.  I 

Next  of  kin  disclosures  present  some  complex  policy  problems,  j 
Serious  concerns  have  been  expressed  that  physicians  are  some- 
times insensitive  to  the  confidentiality  interests  of  patients  and  ! 
make  disclosures  to  family  members  that  the  patients  would  not  ! 
approve.      It  is  also  true  that  physicians  routinely  share  informa-  ! 
tion  with  family  members  in  a  manner  that  enhances  health  care  I 
and  that  does  not  raise  objections  from  patients.  In  most  instances, 
physicians  exercise  discretion  for  these  disclosures  with  care  and 
appreciation  for  the  interests  of  patients.  I 

The  next  of  kin  issue  was  discussed  at  a  hearing  by  Subcommit-  ' 
tee  Chairman  Gary  Condit  and  Dr.  Donald  T.  Lewers,  a  practicing 

physician  who  testified  on  behalf  of  the  American  Medical  Associa-  | 

tion.  I 

Mr.  CONDIT.  The  bill  gives  doctors  discretion  to  disclose  i 
some  health  information  to  a  patient's  next  of  kin.  This  re-  | 
fleets  current  practice  where  doctors  exercise  judgment  i 
about  what  to  tell  a  patient's  spouse,  except  where  the  pa-  | 
tient  has  objected.  j 

This  section  has  been  quite  controversial.  Do  we  need  to 
have  a  written  authorization  before  a  doctor  can  make  a 
routine  disclosure  to  a  spouse? 


See,  e.g,  testimony  of  Aimee  Berenson,  Legislative  counsel,  AIDS  Action  Council;  and 
Susan  Jacobs,  Staff  Attorney,  Legal  Action  Center,  in  H.R.  4077  Hearings  (May  5,  1994). 
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Dr.  Lewers.  This  is  a  very  difficult  area.  And  I  deal 
with  it  on  a  daily  basis  as  a  practicing  physician.  I  think 
in  general  it  is  accepted,  as  you  said,  that  we  do  release 
information  to  the  next  of  kin,  to  the  legal  next  of  kin.  The 
problem  gets  in  where  there  is  separation  between 
spouses,  and  individuals  who  are  not  living  with  an  indi- 
vidual who  still  legally  is  the  next  of  kin,  and  sometimes 
that  gets  very  hairy. 

IVe  been  in  practice  25  years.  I've  only  had  two  in- 
stances where  an  individual  has  come  to  me  and  said  I  do 
not  want  you  to  release  information  to  my  family,  to  my 
spouse,  any  information. 

I  get  that  in  writing  and  document  it  and  then  hold  it. 
And  as  a  matter  of  fact  have  locked  those  records.  But  I 
don't  see  that  as  a  big  problem.  It  may  be  a  larger  problem 
as  time  goes  on  and  perhaps  we  have  more  problems  with 
social  issues  of  separation,  et  cetera.  But  at  this  point,  it's 
one  we  have  been  able  to  work  with. 

I'm  not  sure  you  need  to  try  to  get  into  that.  That's 
going  to  be  complex  and  difficult,  I  would  think,  to  write. 
And  it  would  make  more  of  a  hassle  to  sue  in  again  mak- 
ing sure  that  we  have  that  information;  how  often  are  you 
going  to  update  it,  et  cetera. 

Mr.  CONDIT.  So  your  response  would  be  we  do  not  need 
a  written  authorization? 

Dr.  Lewers.  My  feeling  is  that  we  do  not,  at  this  point. 
I  don't  think  it's  much  of  a  problem.  We  run  into  it  every 
day,  and  I  don't  think  you  need  to  put  it  into  law.^^^ 

In  the  context  of  comprehensive  fair  health  information  practices 
legislation,  it  is  not  possible  to  avoid  the  issue  altogether.  Provid- 
ing statutory  rules  regulating  next  of  kin  disclosures  is  not  a  sim- 
ple task.  It  is  impossible  to  describe  all  of  the  circumstances  that 
might  justify  these  disclosures.  The  Committee  recognizes  the  sen- 
sitivity of  next  of  kin  disclosures  and  has  attempted  to  respond  to 
the  concerns  without  imposing  legalistic  or  bureaucratic  rules  that 
will  unduly  interfere  with  the  physician-patient  relationship. 

The  legislation  proposes  to  allow  physicians  limited  discretion 
with  respect  to  next  of  kin  disclosures.  Under  the  section,  only 
health  care  providers  are  authorized  to  make  next  of  kin  disclo- 
sures. With  one  exception,  other  health  care  trustees  are  not  au- 
thorized to  disclose  any  information  to  a  next  of  kin.  The  exception 
is  for  a  trustee  who  obtains  protected  health  information  as  a  re- 
sult of  an  emergency  circumstance  disclosure. 

Disclosures  may  only  be  made  under  this  provision  orally.  Pro- 
viding access  to  written  records  is  not  within  the  scope  of  the  sec- 
tion. 

Disclosures  can  only  be  made  to  a  patient's  next  of  kin  as  defined 
under  State  law  or  to  a  person  with  whom  the  individual  has  a 
close  personal  relationship.  It  is  not  at  all  unusual  that  the  prin- 
cipal caregiver  to  a  patient  may  not  be  the  legal  next  of  kin.  It  may 
be  a  roommate  or  a  distant  relative.  The  physician  will  have  to 
make  a  determination  about  who  is  a  qualified  recipient.  Doubts 


"6H.R.  4077  Hearings  (May  4,  1994). 
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should  be  resolved  by  asking  the  patient  or  by  not  making  a  disclo-  j 
sure.  I 

There  are  four  specific  limitations  on  a  physician's  discretion  to  I 
disclose  to  next  of  kin.  First,  if  the  patient  has  previously  objected,  j 
then  the  physician  cannot  make  a  next  of  kin  disclosure.  The  objec-  i 
tion  does  not  have  to  be  in  writing  to  be  effective.  I 

Second,  the  disclosure  must  be  consistent  with  good  medical  or  \ 
other  professional  practice.  Thus,  if  it  is  the  accepted  practice  of  i 
psychiatrists  not  to  discuss  any  information  about  a  patient  with  I 
next  of  kin,  then  disclosures  under  this  section  would  not  be  per-  j 
mitted.  | 

Third,  any  disclosure  must  be  limited  to  information  about 
health  care  that  is  being  provided  to  the  individual  at  or  about  the 
time  of  the  disclosure.  Thus,  for  example,  if  a  patient  is  being  treat- 
ed for  a  broken  leg,  a  physician  could  discuss  aspects  of  the  treat- 
ment with  the  patient's  spouse.  But  disclosure  of  information  about  i 
previous  types  of  treatment  ("Did  you  know  your  wife  had  a  drink-  i 
ing  problem  twenty  years  ago?")  would  be  prohibited.  ' 

Finally,  in  order  to  further  limit  the  possibility  that  a  physician  I 
might  misinterpret  the  discretion  granted  under  the  section,  the  j 
Committee  added  another  limitation.  A  physician  can  only  make  a  1 
disclosure  if  the  physician  has  no  reason  to  believe  that  the  individ-  \ 
ual  would  consider  the  information  especially  sensitive.  Thus,  a  | 
physician  treating  a  patient  for  a  sexually  transmitted  disease,  i 
mental  health  problems,  AIDS,  or  a  similar  problem  would  have  to  ! 
think  twice  before  making  any  disclosure  under  the  next  of  kin  au-  i 
thority.  For  these  tjrpes  of  ailments,  the  physician  would  have  to 
be  certain  that  the  patient  would  not  consider  the  information  to 
be  especially  sensitive.  It  would  not,  however,  prevent  a  physician  i 
from  sharing  information  that  the  patient  would  not  consider  to  be  | 
sensitive.  Thus,  even  when  the  diagnosis  is  sensitive,  it  might  be  i 
acceptable  to  inform  a  spouse  that  the  patient  should  stay  in  bed  | 
or  follow  specific  dietary  requirements  without  disclosing  the  actual  i 
diagnosis.  | 

Section  5134(b)  authorizes  the  disclosure  of  directory  information  | 
about  a  patient  who  is  currently  receiving  health  care  from  a  I 
health  care  provider  or  at  premises  controlled  by  a  provider.  Direc-  ' 
tory  information  includes  only  the  name  of  the  patient,  the  location  j 
(i.e.,  room  number)  of  the  patient  on  the  premises,  and  the  general  | 
headth  status  of  the  patient.  The  description  of  general  health  sta-  i 
tus  is  limited  to  words  like  critical,  poor,  fair,  stable,  satisfactory,  | 
or  similar  terms.  Directory  information  that  is  disclosable  may  be  i 
disclosed  to  any  person.  | 

There  are  additional  limitations  on  the  disclosure  of  directory  in-  ; 
formation.  First,  a  trustee  may  not  disclose  directory  information 
about  an  individual  if  the  individual  has  objected  in  writing.  If  an  j 
individual  objects  in  whole  or  in  part  to  the  disclosure  of  directory  | 
information,  that  objection  is  binding  on  the  trustee.  Of  course,  an  | 
individual  can  agree  to  a  disclosure  of  additional  information,  but  i 
the  requirements  for  authorizations  in  section  5132  will  have  to  be  j 
met. 

Second,  the  disclosure  of  directory  information  must  be  consist- 
ent with  good  medical  and  other  professional  practice.  Thus,  if  the  | 
practice  for  a  psychiatric  treatment  facility  has  been  never  to  dis- 
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close  the  name  of  patients,  then  that  practice  would  prevent  the 
disclosure  under  section  5134(b). 

Third,  any  directory  information  disclosed  may  not  reveal  specific 
information  about  the  physical  or  mental  condition  or  functional 
status  of  a  protected  individual  or  about  the  health  care  provided 
to  a  protected  individual.  If  a  facility  offers  a  single  category  of 
treatment  (e.g.,  for  addiction,  mental  health,  etc.),  then  disclosing 
the  name  of  patients  would  reveal  information  about  their  condi- 
tion or  treatment.  If  so,  then  directory  information  could  not  be  dis- 
closed without  the  consent  of  the  patient. 

Any  information  disclosed  under  section  5134  is  not  subject  to 
the  accounting  requirements  in  section  5124  of  the  bill.  There  is  no 
need  to  keep  an  accounting  of  the  disclosure  in  these  instances. 
Also,  the  recipients  of  information  under  section  5134  are  not  by 
reason  of  receiving  the  information  subject  to  any  of  the  require- 
ments of  the  Fair  Health  Information  Practices  Part.  As  a  result, 
an  individual  who  is  provided  information  about  a  spouse  does  not 
become  a  health  information  trustee.  Some  recipients  of  directory 
information  may  otherwise  be  health  information  trustees,  and 
they  remain  fully  subject  to  the  provisions  of  the  Part. 

SECTION  5135.  PUBLIC  HEALTH 

Health  care  providers  and  public  health  authorities  are  author- 
ized in  section  5135  to  disclose  protected  health  information  in  two 
circumstances.  Disclosures  may  be  made  to  a  public  health  author- 
ity for  use  in  legally  authorized  disease  or  injury  reporting,  public 
health  surveillance,  or  public  health  investigations  or  interven- 
tions. This  authorizes  providers  and  others  to  disclose  information 
for  a  variety  of  inquiries  and  interventions  to  protect  the  public 
health  and  safety. 

Disclosures  may  be  made  for  traditional  public  health  surveil- 
lance, investigation,  and  intervention  with  respect  to  communicable 
disease  as  well  as  other  conditions  and  injuries.  In  all  States,  cer- 
tain conditions  are  required  to  be  reported  to  public  health  authori- 
ties. The  bill  allows  disclosures  to  comply  with  these  requirements, 
including  those  imposed  directly  by  statute  and  those  imposed  by 
administrative  action  based  on  statutory  authority.  While  not  all 
public  health  surveillance  activities  require  identifiable  informa- 
tion, many  do.  These  programs  are  especially  important  in  manage- 
ment and  control  of  infectious  disease.' ^'^  This  section  also  permits 
other  disclosures  to  public  health  authorities  that  are  necessary  for 
investigation  or  intervention,  such  as  identifying  all  the  persons 
who  might  have  been  exposed  to  a  person  with  a  communicable  dis- 
ease. 

Public  health  agencies  that  receive  information  are  sharply  con- 
strained in  how  they  may  further  disclose  it  in  identifiable  form. 
Public  health  authorities  have  a  long  ethical  tradition  of  complete 


1      ""^Infectious  disease  is  still  a  serious  threat  to  health.  See,  e.g.,  Department  of  Health  and 
I  Human  Services,  Pubhc  Health  Service,  Centers  for  Disease  Control  and  Prevention,  "Address- 
ing Emerging  Infectious  Disease  Threats:  A  Prevention  Strategy  for  the  United  States"  (1994). 
In  this  report,  a  major  objective  offered  by  CDC  is  expansion  and  coordination  of  surveillance 
j  systems  for  the  early  detection,  tracking,  and  evaluation  of  emerging  infections  in  the  United 
!  States.  The  report  states  tiiat  "[sjurveillance  is  the  single  most  important  tool  for  identifying 
infectious  diseases  that  are  emerging,  are  causing  serious  public  health  problems,  or  are  dimin- 
ishing in  importance."  Id.  at  12. 
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confidentiality  in  the  conduct  of  their  investigations,  and  are  sub-  I 
ject  to  confidentiality  obligations  under  State  law.  They  carefully  | 
safeguard  information.  However,  there  may  be  instances  where  ' 
their  inquiries  may  involve  implicit  or  explicit  disclosures  of  patient  | 
identities  in  order  to  conduct  their  investigations  and  interven- 
tions, and  such  disclosures  are  not  forbidden,  as  long  as  they  are  j 
in  accordance  with  State  law  and  are  necessary  for  a  public  health  ' 
purpose.  This  provision  permits,  for  example,  spourd  notification  | 
programs.  , 

Information  received  by  a  public  health  authority  under  this  sec-  | 
tion  may  not  be  used  or  disclosed  in  any  administrative,  civil,  or  I 
criminal  action  or  investigation  directed  against  the  patient,  except  | 
where  the  use  or  disclosure  is  authorized  by  law  for  the  protection  | 
of  the  public  health.  This  generally  prohibits  all  collateral  uses  of  ! 
patient  information,  except  in  actions  like  proceedings  to  isolate  or  \ 
quarantine  a  person  with  a  communicable  disease — such  as  tuber-  ! 
culosis — ^who  endangers  the  public  health.  | 

This  section  is  also  a  basis  for  certain  disclosures  to  private  enti-  ] 
ties,  operating  under  legal  authority,  in  the  course  of  public  health  , 
surveillance  and  similar  activities.  The  definition  of  public  health 
authority  in  section  5120(b)(9)  includes  a  person  acting  under  the 
direction  of  a  public  health  authority.  Similarly,  cancer  reg- 
istries    are  sometimes  operated  by  non-governmental  research  in-  \ 
stitutions,  and  reports  to  them  are  required  by  State  law  as  part  i 
of  a  program  to  identify  the  causes  of  cancer.  The  tracking  of  medi- 
cal devices,  required  by  the  Federal  Food,  Drug,  and  Cosmetic 
Act  120^  may  require  that  patient  identifiers  in  some  instances  be  j 
reported  by  physicians  to  device  manufacturers. 

An  individual  who  receives  information  pursuant  to  the  disclo- 
sure authority  for  public  health  interventions  does  not  become  a 
health  information  trustee  and  is  not  subject  to  any  requirement 
as  a  result.  If  a  disclosure  is  made  under  this  authority  to  a  health 
care  provider  or  other  person  who  is  otherwise  a  health  information 
trustee,  this  does  not  exempt  that  trustee  from  its  obligations 
under  the  part.  The  policy  is  directed  at  spousal  notification  where 
the  imposition  of  confidentiality  duties  would  not  make  sense  or  be  i 
effective.  j 

SECTION  5136.  HEALTH  RESEARCH  ' 

Section  5136  establishes  rules  for  disclosure  of  protected  health 
information  to  health  researchers.  The  importance  of  health  re- 
search to  the  Nation's  health  and  well-being  can  be  illustrated  in  ! 
many  different  ways.  One  can  point  to  the  dramatic  increase  in  the 
life  expectancy  of  Americans,  the  list  of  diseases  that  are  no  longer 
serious  threats  to  health,  or  to  the  billions  of  dollars  appropriated 
each  year  by  Congress  to  support  research.  Health  research  is  an 
integral  and  necessary  part  of  the  modem  health  care  system,  and 


"*The  emergence  of  multidrug  resistant  tuberculosis  has  renewed  attention  to  the  powers  of 
States  to  isolate  and  quarantine  individuals  who  endanger  public  health.  All  States  nave  laws 
to  assist  in  controUing  the  spread  of  communicable  diseases.  See  Gostin,  "Controlling  the  Resur- 
gent Tuberculosis  Epidemic",  269  Jotmaal  of  the  American  Medical  Association  255  (1993). 

""See,  e.g.,  §§399H-399L  of  the  PubUc  Health  Service  Act,  42  U.S.CA.  §§280e-280e4  (West 
Supp.  1994). 

'20  21  U.S.CA  360i  (West  Supp.  1994). 
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access  to  health  care  records  is  vital  to  the  conduct  of  some  health 
research  projects. 

Researchers  point  out  that  it  is  impossible  to  carry  out  many 
types  of  research  without  access  to  identifiable  patient  records.  In 
testimony  delivered  on  behalf  of  the  Society  of  Epidemiological  Re- 
search and  the  Association  of  American  Medical  Colleges  during 
consideration  of  a  similar  bill  during  the  96th  Congress  in  1979, 
Dr.  Leon  Cordis,  Chairman  of  the  Department  of  Epidemiology  at 
the  Johns  Hopkins  School  of  Hygiene  and  Public  Health  offered 
several  specific  examples  of  epidemiological  studies  that  could  not 
have  been  conducted  without  access  to  identifiable  medical  records: 

A.  DES  AND  VAGINAL  CANCER 

In  order  to  convey  some  idea  of  just  how  important  the 
legitimate  research  use  of  medical  records  is,  I  should  like 
to  cite  a  few  major  findings  from  several  epidemiologic 
studies.  First,  I  should  like  refer  to  the  studies  dealing 
with  diethylstilbestrol  or  DES  as  it  is  known.  These  stud- 
ies of  the  effects  of  DES  in  human  beings  are  particularly 
important  since  for  many  years  DES  was  added  to  live- 
stock feeds  in  the  United  States.  A  few  years  ago,  inves- 
tigators in  Boston  demonstrated  through  an  epidemiologic 
study,  that  when  mothers  took  DES  during  pregnancy  to 
prevent  a  miscarriage,  female  offspring  of  these  preg- 
nancies were  at  increased  risk  of  developing  a  rare  type  of 
cancer  of  the  vagina  when  they  reached  adolescence. 

This  study  could  only  have  been  carried  out  through  the 
use  of  medical  records.  Three  particular  features  are  note- 
worthy here:  First,  the  cancer  did  not  appear  in  the  person 
taking  the  medication  but  only  in  her  female  offspring  ex- 
posed to  DES  during  intrauterine  life.  Second,  the  cancer 
appeared  some  15  to  20  years  after  exposure  to  DES  so 
that  it  was  necessary  to  go  back  many  years  to  determine 
exposures  and  to  identify  the  drugs  taken  in  pregnancy. 
Third,  in  this  study,  the  girls  and  young  women  who  had 
this  cancer  were  first  identified  from  their  medical  records, 
and  only  then  could  their  mothers  be  contacted  and  fol- 
lowed-up.  Consequently,  if  use  of  medical  records  were  pro- 
hibited, or  if  such  use  were  permitted  only  with  the  con- 
sent of  the  patient,  these  studies  which  demonstrated  the 
cancer-producing  effect  of  DES  in  women  many  years  after 
exposure,  would  have  been  impossible  to  carry  out. 

This  study  is  perhaps  the  first  demonstration  in  human 
beings  of  transplacental  carcinogenesis,  i.e.,  that  cancer 
causing  agents  taken  by  the  mother  can  cross  the  placenta 
and  produce  cancer  in  the  offspring.  There  may  be  other 
such  agents — presently  unknown — which  mothers  should 
avoid  during  pregnancy  because  of  the  hazard  to  their  chil- 
dren. In  order  to  identify  these  agents,  thorough  epidemio- 
logic investigations  using  medical  records  are  needed  to 
protect  the  health  of  American  women  and  their  children. 
This  is  an  area  which  could  not  be  explored,  however,  if  re- 
strictions were  placed  in  research  uses  of  medical  records. 
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B.  OCCUPATIONAL  CANCERS 

I  should  like  to  turn  to  another  important  area — ^the 
health  of  the  American  worker.  In  recent  years,  there  has 
been  increasing  recognition  that  Americans  employed  in 
industries  are  often  subjected  to  high  concentrations  of  po- 
tentially toxic  substances.  Thus,  for  example,  workers  ex- 
posed to  vinyl  chloride  have  been  shown  to  be  at  high  risk 
of  liver  cancer.  This  finding,  which  has  now  been  con- 
firmed in  a  number  of  studies,  could  only  be  made  by  re- 
viewing the  medical  records  of  large  groups  of  employees 
in  specific  industries  and  linking  the  employees'  records  at 
the  factory  site  with  hospital  records  and  death  certificates 
if  they  exist.  Without  access  to  these  records  it  would  be 
impossible  to  have  identified  vinyl  chloride  as  a  cause  of 
cancer  in  occupationally  exposed  human  beings.  I  should 
also  point  out  in  this  connection,  that  if  there  were  a  re- 
quirement that  patient  consent  be  obtained  before  the 
records  were  made  available — ^these  studies  could  also  not 
have  been  carried  out  because  many  patients  had  either 
died  by  the  time  the  study  was  done  or  else  had  moved 
and  could  not  be  traced. 

It  is  clear  that  we  have  only  begun  to  scratch  the  surface 
in  terms  of  the  toxic  and  cancer-producing  potentials  of 
substances  to  which  American  workers  are  exposed  in  the 
course  of  their  daily  labors.  Any  restriction  which  would 
preclude  the  possibility  of  identifying  new  damaging  sub- 
stances and  documenting  their  harmful  effects  would  be  a 
major  setback  to  the  protection  of  the  health  of  the  Amer- 
ican worker. 

C.  PREVENTIVE  BLINDNESS  IN  PREMATURE  INFANTS 

I  should  like  to  turn  briefly  to  a  tragic  medical  story 
which  unfolded  during  the  1950's.  At  the  time  premature 
infants  who  were  of  low  birth  weight,  were  found  to  have 
an  increased  risk  of  a  form  of  blindness  called  retrolental 
fibroplasia.  Surprisingly,  the  risk  of  blindness  was  highest 
in  the  best  medical  centers  in  our  country  while  in  the  less 
sophisticated  and  less  well-equipped  medical  centers,  the 
risk  seemed  lower.  Initially  there  was  no  clue  as  to  what 
might  be  causing  this  blindness  and  numerous  investiga- 
tions in  many  areas  were  carried  out.  However,  epidemio- 
logic investigations  subsequently  demonstrated  that  the 
cause  of  this  blindness  was  high  oxygen  concentrations  ad- 
ministered to  the  premature  newborns.  These  high  con- 
centrations were  often  only  provided  in  the  best  medical 
centers,  since  at  that  time,  the  highest  possible  oxygen 
concentration  was  considered  the  best  medical  care  for 
these  infants.  Since  that  time,  restriction  of  the  oxygen 
concentration  to  a  lower  level  when  administered  to  pre- 
mature infants  has  virtually  wiped  out  this  form  of  blind- 
ness in  prematures.  Again,  these  studies  which  dem- 
onstrated that  high  oxygen  concentrations  were  the  cause 
of  blindness  in  children  and  that  reducing  these  concentra- 
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tions  could  prevent  such  blindness,  would  have  been  to- 
tally impossible  to  carry  out  were  access  to  medical  records 
restricted. 

D.  BENEFITS  OF  ANTICOAGULANT  DRUGS  FOR  PATIENTS  WITH 
HEART  ATTACKS 

For  many  years,  there  has  been  a  difference  of  opinion 
among  physicians  with  regard  to  the  possible  effects  of 
anticoagulants  in  the  treatment  of  patients  who  have 
heart  attacks.  Several  years  ago,  we  carried  out  a  study  in 
which  we  reviewed  the  records  of  a  large  number  of  pa- 
tients who  had  heart  attacks  and  who  had  been  hospital- 
ized some  years  previously.  We  ascertained  which  patients 
had  received  anticoagulants  and  which  patients  had  not, 
and  then  determined  which  patients  had  died  during  their 
hospitalizations.  We  were  able  to  show  that  the  death  rate 
was  much  lower  in  patients  who  had  received 
anticoagulants  during  their  hospitalization  than  in  those 
who  had  not.  This  important  observation  has  now  been 
confirmed  in  another  study  carried  out  in  our  Department. 
We  believe  that  in  the  coming  years,  these  findings  will 
have  major  implications  for  care  of  heart  attack  victims. 
Yet  both  studies  could  not  have  been  carried  out  without 
the  use  of  medical  records  and  identifying  information,  and 
would  have  been  impossible  had  the  consent  of  the  patient 
been  required  for  reviewing  these  records. 

E.  HARMFUL  EFFECTS  OF  THE  PILL  (ORAL  CONTRACEPTIVES) 

Although  the  "pill"  has  been  demonstrated  to  be  a  highly 
effective  and  convenient  form  of  birth  control  which  has 
been  adopted  by  many  American  women  as  their  form  of 
contraception,  a  large  number  of  epidemiologic  studies 
have  now  demonstrated  that  women  taking  the  pill  for 
long  periods  of  time  are  at  an  increased  risk  for  blood 
clots,  strokes,  heart  attacks,  high  blood  pressure,  liver  tu- 
mors, gallbladder  disease,  congenital  malformations  in 
their  offspring  and  other  conditions.  These  highly  signifi- 
cant findings  were  in  large  measure  the  result  of  large 
scale  studies  which  used  hospital  and  medical  records — 
studies  which  again  would  have  been  impossible  to  carry 
out  if  patient  consent  had  been  required. 

F.  IMPROVED  SURVIVAL  OF  CHILDREN  WITH  LEUKEMIA 

One  of  the  greatest  accomplishments  of  American  medi- 
cine during  the  past  two  decades  has  been  the  break- 
through in  the  treatment  of  acute  leukemia  in  children. 
While  children  with  leukemia  at  one  time  died  within  a 
few  months  after  diagnosis,  with  the  new  advances  in  ther- 
apy, they  now  live  many  years — and  are  often  free  of  any 
evidence  of  their  disease.  The  demonstration  that  new 
forms  of  therapy  have  resulted  in  an  improved  outcome 
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such  as  this  for  the  patient  also  requires  the  use  of  medi- 
cal records. 

Statistical  projects,  health  services  research,  and  health  related 
behavioral  research  also  depend  upon  access  to  identifiable  patient 
records  in  order  to  be  effective.  122  Reporting  systems  and  surveys 
of  hospital  care,  physicians'  services,  nursing  home  care,  and  other 
institutional  and  home  care  provide  information  on  access  to  health 
care,  indicators  of  quality  and  cost  of  care,  and  data  showing  vari- 
ations over  time. 

Research  on  health  encompasses  many  factors  beyond  the  facts 
elicited  through  medical  diagnosis  and  evaluation.  Thus,  the  defini- 
tion of  allowable  research  for  which  disclosures  may  be  made  in- 
cludes **behavioral  and  social  factors  affecting  health."  Health  re- 
search often  includes  the  study  of  social  and  behavioral  factors  that 
influence  health  outcomes.  For  example,  family  composition,  age, 
income,  labor  force  participation,  and  area  of  residence  all  influence 
health  conditions  and  are  useful  in  planning  and  evaluating  the  ef- 
fectiveness of  health  care  delivery  and  in  setting  policy  with  regard 
to  health  programs.  Health  care  data  may  also  be  used  indirectly 
in  health  statistics  and  research  activity.  For  example,  enrollment 
data  in  the  health  care  program  could  be  used  for  improving  our 
understanding  of  the  population  in  general  statistical  activities,  the 
results  of  which  can  be  used  by  health  researchers  and  policy  mak- 
ers to  understand  health  outcomes. 

If  researchers  had  to  obtain  specific  patient  consent  before 
records  could  be  used,  many  research  projects  would  never  be  un- 
dertaken. There  are  several  reasons  why  patient  consent  is  an  im- 
practical requirement.  Many  studies  are  initiated  after  the  original 
health  care  information  was  recorded.  It  would  be  impossible  to 
foresee  all  possible  studies  for  which  a  health  care  record  might  be 
valuable  and  to  obtain  consent  in  advance.  Few  if  any  patients 
have  ever  been  asked  to  sign  such  consents,  and  most  existing 
records  would  not  be  available  to  researchers. 

It  might  therefore  be  necessary  to  obtain  specific  consent  for  each 
proposed  research  project.  However,  review  of  patient  records  by 
researchers  is  frequently  the  first  step  in  identifying  patients  with 
the  disease  that  is  to  be  studied.  Until  the  records  are  reviewed, 
the  patients  cannot  be  identified  to  ask  for  consent.  Yet  if  the  con- 
sent were  required,  the  patients  could  not  be  asked  to  give  consent 
until  they  were  identified  by  looking  at  the  records.  This  is  clearly 
an  impossible  situation. 

There  is  another  aspect  of  patient  consent  that  makes  it  a  poor 
prerequisite  for  research.  The  unavailability  of  or  lack  of  consent 
from  some  patients  could  seriously  bias  the  results  of  the  research 
in  an  unforeseen  way.  The  exclusion  of  some  records  from  a  study 


'2'  "1979  House  Hearings"  at  484-89. 

'22  For  a  discussion  of  the  Administration's  plans  for  health  research  activities,  see  testimony 
of  Nan  D.  Hunter,  Deputy  General  Counsel,  Department  of  Health  and  Human  Services,  in 
"H.R.  4077  Hearings"  (April  20,  1994).  For  a  discussion  of  the  use  of  health  records  in  statistical 
activities,  see  the  statement  submitted  by  Norman  Bradbum,  Chair,  Committee  on  National 
Statistics,  National  Research  Council,  in  "H.R.  4077  Hearings."  See  also  Committee  on  National 
Statistics,  "Private  Lives  and  PubUc  PoUcies:  Confidentiality  and  AccessibiUty  of  Government 
Statistics"  (1993)  (National  Research  Council). 

'23  1979  House  Hearings  at  483-4  (testimony  of  Dr.  Leon  Gordis,  Society  for  Epidemiologic  Re- 
search and  the  Association  of  American  Medical  Colleges). 


125 


might  not  happen  in  a  random  fashion.  Patients  with  a  certain  sig- 
nificant medical  feature  might  tend  to  be  the  patients  who  refused 
consent.  The  consequence  of  permitting  some  records  to  be  excluded 
from  a  study  is  to  raise  doubts  about  the  validity  of  the  study. 

Section  5136  strikes  a  fair  balance  between  the  confidentiality  in- 
terests of  patients  and  the  needs  of  health  researchers.  Most  health 
information  trustees  may  disclose  protected  health  information  for 
health  research.  Section  5136(d)  identifies  the  trustees  who  may 
not  make  disclosures  for  research  purposes.  Those  who  become 
health  information  trustees  because  of  disclosures  under  section 
5138  (relating  to  judicial  and  administrative  purposes),  paragraphs 
(1),  (2),  or  (3)  of  section  5139(a)  (relating  to  law  enforcement),  or 
section  5140  (relating  to  subpoenas,  warrants,  and  search  war- 
rants) may  not  disclose  information  to  health  researchers. 

All  other  trustees  may  disclose  protected  health  information  to 
health  researchers  subject  to  three  general  conditions.  First,  the 
disclosure  must  be  to  a  person  who  is  conducting  an  approved 
health  research  project.  An  approved  health  research  project  is  de- 
fined in  section  5120(c)(3)  to  be  a  biomedical,  epidemiological,  or 
health  services  research  or  statistics  project,  or  a  research  project 
on  behavioral  and  social  factors  affecting  health,  that  has  been  ap- 
proved by  a  certified  institutional  review  board  (IRB).  The  defini- 
tion of  the  type  of  research  that  can  qualify  as  a  health  research 
project  is  intentionally  broad.  Limitations  are  best  imposed  by  the 
IRBs  rather  than  by  a  restrictive  and  inflexible  statutory  defini- 
tion. 

Second,  the  protected  health  information  to  be  disclosed  must  be 
used  in  the  health  research  project.  There  is  no  need  to  disclose  in- 
formation that  will  not  be  used  in  a  research  project. 

Third,  the  health  research  project  must  have  been  determined  by 
a  certified  IRB  to  be  of  sufficient  importance  so  as  to  outweigh  the 
intrusion  into  the  privacy  of  the  protected  individual  who  is  the 
subject  of  the  information  that  would  result  from  the  disclosure. 
This  is  obviously  a  balancing  test.  Any  disclosure  of  protected 
health  information  involves  an  invasion  of  privacy.  Where  there  are 
appropriate  protections  for  the  information,  the  risk  of  further  in- 
vasions of  privacy  is  small.  Nevertheless,  the  consequences  of  the 
disclosure  for  patient  privacy  must  be  weighed  against  the  impor- 
tance of  the  research,  its  probable  value  to  society,  and  the  likeli- 
hood of  success. 

No  specific  guidelines  for  making  this  judgement  have  been  in- 
cluded in  the  bill.  Institutional  review  boards  are  already  in  exist- 
ence and  are  already  making  similar  evaluations.  The  decision 
about  privacy  should  be  made  in  the  same  fashion,  relying  on  the 
knowledge  and  experience  of  the  members  of  the  board.  The  Sec- 
retary can  provide  additional  guidance  as  appropriate  through  the 
regulations  that  will  implement  the  certification  requirement  for 
IRBs  that  is  contained  in  section  5136(e). 

There  is  a  second  test  that  IRBs  must  apply  when  evaluating 
health  research  projects.  The  IRBs  must  find  that  it  is  impractica- 
ble to  conduct  the  research  without  the  information.  This  does  not 
mean  that  it  must  be  impossible  to  conduct  the  research  in  any 
other  way,  nor  does  it  require  that  patient  consent  be  obtained  if 
at  all  possible.  The  IRBs  may  weigh  such  factors  as  cost,  time  and 
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other  resources  available  for  data  collection,  and  the  quality  of  re- 
sults. Of  course,  when  an  alternative  to  the  disclosure  of  identifiers 
would  not  be  unreasonably  disruptive  to  the  research,  the  IRB 
could  require  use  of  that  alternative. 

There  are  several  conditions  that  attach  when  protected  health 
information  is  disclosed  for  use  in  a  health  research  project.  First, 
the  health  researcher  may  only  use  the  information  for  the  pur- 
poses of  an  approved  health  research  project.  Any  other  use  would 
be  a  violation  of  law  and  would  subject  the  researcher  to  criminal 
or  civil  penalties  as  applicable.  A  researcher  would  want  to  use  or 
disclose  protected  health  information  for  a  purpose  not  originally 
approved  by  an  IRB  must  return  and  receive  permission  from  the 
IRB  prior  to  any  other  use  or  disclosure. 

Second,  the  health  researcher  may  not  use  or  disclose  the  infor- 
mation in  any  administrative,  civil,  or  criminal  action  or  investiga- 
tion directed  against  the  subject  of  the  protected  health  informa- 
tion. If  a  patient's  information  is  to  be  used  for  research,  it  is  fair 
and  appropriate  that  the  patient  not  be  jeopardized  as  a  result  of 
that  use.  Information  that  a  patient  told  a  physician  in  confidence 
that  is  subsequently  made  available  to  a  health  researcher  may 
never  be  used  against  the  patient  in  any  way.  This  absolute  protec- 
tion is  an  essential  part  of  the  bargain  that  permits  use  of  records 
by  researchers. 

Third,  the  researcher  must  remove  or  destroy  information  that 
would  permit  individuals  to  be  identified  at  the  earliest  opportunity 
consistent  with  the  purpose  of  the  project,  unless  an  IRB  has  deter- 
mined that  there  is  an  adequate  health  or  research  justification  for 
retention  of  identifiers  and  that  there  is  an  adequate  plan  to  pro- 
tect the  identifiers  from  any  use  and  disclosure  that  is  inconsistent 
with  the  Fair  Health  Information  Practices  Part.  A  health  re- 
searcher who  wants  to  retain  identifiers  must  apply  to  a  review 
board  for  permission.  This  may  be  done  at  the  time  that  a  project 
is  approved  initially  or  at  a  later  time. 

There  are  several  reasons  why  it  may  be  important  to  permit  the 
retention  of  identifiers  after  a  study  has  been  completed.  First, 
when  results  are  published  and  reviewed  by  other  researchers  and 
by  scholars,  questions  about  the  conduct  of  the  research  or  the  ac- 
curacy of  the  data  may  arise.  If  the  identifiers  have  been  destroyed, 
the  may  be  no  way  to  verify  the  results  and  the  validity  of  the  re- 
search will  be  in  doubt.  There  have  been  enough  cases  of  fraudu- 
lent research  in  recent  years  to  make  this  a  serious  concern. 

Second,  it  is  possible  that  the  results  of  one  study  when  com- 
bined with  the  results  of  concurrent  or  subsequent  studies  may 
suggest  new  lines  of  analysis.  Early  destruction  of  identifiers  may 
make  it  impossible  to  reanalyze  or  recombine  data  or  consider  new 
h3rpotheses. 

Third,  even  when  there  is  no  immediate  need  for  identifiers  after 
a  study  is  complete,  the  possibility  that  a  follow-up  study  may  be 
done  in  the  future  may  provide  a  sufficient  reason  for  retention.  If 
identifiers  are  destroyed,  future  avenues  of  research  may  be  arbi- 
trarily cut  off,  and  money  or  time  may  be  wasted  duplicating  the 
original  research.  For  example,  if  the  effect  of  a  new  drug  or  medi- 
cal technique  is  studied  and  the  identifiers  are  destroyed  upon  com- 
pletion, it  may  not  possible  to  reopen  the  study  five  or  ten  years 
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later  to  investigate  the  possibility  of  additional  and  unforeseen  side 
effects.  Other  long  range  studies  of  specific  populations  may  also  be 
prevented. 

For  these  and  similar  reasons,  automatic  destruction  of  identifi- 
ers is  not  required.  Where  a  researcher  wants  to  retain  identifiers 
beyond  the  immediate  needs  of  the  research  project,  the  researcher 
must  obtain  specific  approval  from  an  IRB.  The  standard  estab- 
lished in  the  bill — an  adequate  health  or  research  justification  for 
retention— is  intentionally  liberal.  If  there  is  a  reasonable  likeli- 
hood that  the  identifiers  might  be  valuable  in  the  future,  an  IRB 
may  approve  retention. 

Any  long-term  retention  of  identifiable  data  entails  additional  re- 
sponsibilities on  the  part  of  the  researcher  for  the  protection  of  pa- 
tients. In  order  to  assure  that  the  identifiers  will  not  be  misused 
or  improperly  disclosed,  the  researcher  must  present  the  institu- 
tional review  board  with  an  adequate  plan  for  the  protection  of 
identifiers.  The  plan  should  provide  for  the  storage  of  identifiers  in 
a  reasonably  safe  place  under  the  custody  of  a  person  who  is  aware 
of  the  sensitive  nature  of  the  information  and  of  the  procedures 
that  must  be  followed  before  any  further  disclosure  is  permitted. 
Disclosure  of  protected  health  information  by  one  researcher  to  an- 
other can  only  be  made  with  the  approval  of  an  institutional  review 
board. 

The  identifiers  may  be  left  in  the  custody  of  the  researcher,  the 
institutional  review  board,  or  other  responsible  person  or  institu- 
tion. Security  plans  do  not  have  to  be  unnecessarily  elaborate  or 
expensive,  and  identifiers  need  only  be  provided  with  a  reasonable 
degree  of  protection  given  the  potential  threats  to  misuse.  The  in- 
stitutional review  board  must  approve  the  plan  of  the  researchers, 
but  it  is  the  researcher  who  is  responsible  for  carrying  out  the  plan 
as  approved. 

For  some  types  of  research  projects,  the  need  for  long-term  or 
permanent  retention  of  identifiable  patient  information  is  a  nec- 
essary feature  of  the  project  itself.  In  the  case  of  registries,  such 
as  tumor,  cancer,  or  other  diseases,  one  purpose  of  the  project  is 
the  creation  of  an  information  resource  for  the  use  of  other  re- 
searchers. ^24  Approval  for  identifier  retention  for  registries  should 
present  no  difficulties  for  an  institutional  review  board. 

Section  5136(e)  describes  the  general  requirements  for  certifi- 
cation of  IRBs  by  the  Secretary  of  HHS.  The  certification  process 
will  give  the  Secretary  the  ability  to  exercise  both  substantive  and 
procedural  control  over  the  activities  of  IRBs.  Independent  over- 
sight of  IRBs  is  important.  The  Working  Group  on  Ethical,  Legal, 
and  Social  Implications  of  the  Human  Genome  Project  points  out 
that  IRBs  are  not  independent  of  the  institutions  that  created 
them.  The  inherent  conflict  of  interest  is  particularly  strong  when 
an  IRB  reviews  research  with  commercial  potential  for  the  institu- 
tion or  company  at  which  the  IRB  is  located.  These  conflicts  are 
less  likely  to  be  present  when  an  IRB  reviews  research  sponsored 


Disease  registries  can  qualify  as  health  research  projects  and  can  receive  protected  health 
information  as  long  as  their  activities  have  been  approved  by  an  IRB.  In  the  case  of  registries 
operated  by  or  at  the  direction  of  pubhc  health  authorities,  IRB  approval  may  not  be  necessary. 
Section  5135  authorizing  disclosures  for  public  health  permits  disclosures  to  public  health  au- 
thorities for  disease  or  iryHry  reporting  and  for  public  health  surveillance. 
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by  another  institution.  The  Secretary  may  issue  rules  covering  situ- 
ations where  there  is  an  inherent  conflict  of  interest. 

The  certification  requirement  is  not  intended  to  produce  a  major 
change  in  existing  IRBs,  and  the  bill  requires  that  the  regulations  | 
be  based  on  existing  IRB  rules  under  section  491(a)  of  the  Public  ' 
Health  Service  Act.  There  may  be  a  need  for  different  rules  for  j 
IRBs  that  review  commercially  sponsored  research  or  for  IRBs  that  I 
make  determinations  regarding  disclosure  of  information  from  | 
health  information  service  organizations. 

SECTION  5137.  EMERGENCY  CIRCUMSTANCES  | 

Section  5137  authorizes  all  health  information  trustees  to  make  j 
disclosures  of  patient  information  in  emergency  circumstances.  The 
specific  requirements  are  that  the  trustee  must  believe  on  reason-  | 
able  grounds  that  the  disclosure  is  necessary  to  prevent  or  lessen  i 
a  serious  and  imminent  threat  to  the  health  or  safety  of  an  individ-  | 
ual.  A  common  circumstance  will  be  when  an  individual  is  brought  | 
into  an  emergency  room,  and  records  of  previous  treatment  are 
needed  to  assist  in  provi^ng  immediate  health  care.  The  authority 
is  not  limited,  however,  to  disclosures  for  the  treatment  of  the  sub-  j 
ject  of  the  information.  Another  circumstance  might  involve  the  dis- 
closure of  psychiatric  information  about  a  person  holding  a  hostage 
who  poses  a  serious  and  imminent  threat  to  the  safety  of  the  hos- 
tage. 

The  language  in  the  bill  was  drawn  from  a  similar  provision  in 
the  New  Zealand  Health  Information  Privacy  Code  1994  issued  by 
Bruce  Slane,  the  Privacy  Commissioner  of  New  Zealand,  ^^s  Mr. 
Slane  also  provided  an  excellent  illustration  of  the  application  of 
the  policy  for  emergency  disclosures  using  an  older  court  decision 
involving  disciplinary  proceedings  against  a  physician  for  breach  of 
confidence. 

The  facts  of  the  case  were  that  Dr.  Duncan  was  a  medical  practi- 
tioner in  a  rural  community.  Mr.  Henry,  a  patient  of  Dr.  Duncan's 
and  a  bus  driver  by  occupation,  had  a  series  of  heart  ailments.  On 
the  day  before  Mr.  Henry  was  to  drive  on  a  charter  trip.  Dr.  Dun- 
can spoke  to  a  woman  who  was  to  be  a  passenger  and  advised  her 
that  Mr.  Henry  was  not  fit  to  drive.  Dr.  Duncan  also  spoke  to  Mr. 
Henry  and  to  the  police  constable.  Dr.  Duncan  also  asked  a  patient 
to  help  organize  a  petition  to  have  Mr.  Henry  barred  from  driving 
passenger  vehicles.  Following  a  complaint,  a  professional  discipli- 
nary committee  found  Duncan  guilty  of  misconduct  for  breach  of 
professional  confidence.  It  was  the  disclosure  of  information  to  lay 
people — and  not  to  the  constable — ^that  was  the  cause  for  the  cen- 
sure. 

Privacy  Commissioner  Slane  applied  the  facts  of  this  case  to  the 
emergency  disclosure  provision  in  the  New  Zealand  code.  He  found 
that  first,  Dr.  Duncan  would  need  to  believe  on  reasonable  grounds 
that  it  was  not  desirable  or  practicable  to  get  Mr.  Henry's  author- 
ization for  the  disclosure.  Second,  Dr.  Duncan  would  need  to  be- 
lieve on  reasonable  grounds  that  (i)  there  is  a  serious  threat  to 
public  safety;  (ii)  the  threat  was  imminent;  (iii)  the  disclosure  of 


125  Rule  11  (2)(b). 

The  discussion  of  the  Duncan  case  comes  from  a  speech  given  by  Mr.  Slane  at  the  WeUing- 
ton  (NZ)  School  of  Medicine  on  February  9,  1994. 
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the  information  to  the  constable  would  prevent  or  lessen  the  threat; 

I  and  (iv)  the  disclosure  of  Mr.  Henry's  medical  information  was  nec- 
essary to  prevent  or  lessen  the  threat  (that  is,  the  threat  could  not 

i  be  prevented  or  lessened  in  some  other  way  not  involving  a  beach 
of  confidence).  Third,  the  disclosure  made  to  the  constable  would 
have  to  be  limited  to  the  information  necessary  to  prevent  or  lessen 
the  threat  to  public  safety.  This  means  that  disclosure  to  persons 
other  than  the  constable  was  unnecessary.  Mr.  Slane  concluded 
that  disclosure  to  the  constable  was  probably  acceptable,  although 
a  road  licensing  authority  might  have  been  a  better  choice.  Mr. 
Slane  also  suggested  that  disclosure  to  the  potential  passenger 
might  be  justified,  although  his  remarks  are  not  definitive  on  this 
point. 

Privacy  Commissioner  Slane's  analysis  is  generally  instructive 
for  the  provision  in  the  Part.  The  last  point  raises  a  highly  con- 
troversial matter  in  this  country  that  involves  the  physician's  duty 
to  warn.  The  leading  case  in  the  United  States  is  Tarasoff  v.  Re- 
gents of  the  University  of  California.  ^^'^  In  that  case,  a  psychologist 
was  told  by  a  patient  that  the  patient  intended  to  kill  a  third  per- 
son. The  psychologist  notified  the  police  but  did  not  warn  the  in- 
tended victim.  The  patient  subsequently  killed  that  person.  The  Su- 
preme Court  of  California  found  that  the  therapist  had  an  obliga- 
tion to  use  reasonable  care  to  protect  the  intended  victim  against 
danger,  including  warning  the  victim  of  the  peril. 

The  Tarasoff  decision  has  been  controversial,  and  not  all  states 
have  reached  the  same  conclusion.  Regardless,  the  emergency  dis- 
closure provision  in  the  legislation  takes  no  substantive  position  on 
a  trustee's  duty  to  warn.  If  such  a  disclosure  is  required  or  appro- 
priate under  applicable  law,  then  it  may  be  made  consistently  with 
the  Fair  Health  Information  Practices  Part.  However,  there  is  no 
requirement  that  a  disclosure  that  is  authorized  must  be  made  by 
a  trustee.  If  a  duty-to-wam  disclosure  is  not  required  or  appro- 
priate under  state  or  other  applicable  law,  then  there  is  no  obliga- 
tion section  5137  to  make  the  disclosure.  The  Fair  Health  Informa- 
tion Practices  Part  is  completely  neutral  on  the  substantive  ques- 
tion, but  it  permits  a  duty-to-wam  disclosure  provided  that  the 
standards  for  emergency  disclosures  are  met. 

It  is  much  more  likely  that  the  emergency  disclosure  authority 
will  be  use  to  assist  in  a  treatment  setting.  Robert  Bolan,  Vice 
Chairman  of  the  Board  of  Directors  of  Medic  Alert  Foundation  tes- 
tified about  the  problems  and  the  promise  of  requests  for  emer- 
gency disclosure  of  medical  information: 

Medic  Alert  is  currently  the  largest  information  data 
bank  of  patient-supplied  medical  information  in  the  world. 
It  has  been  estimated  that  Medic  Alert  helped  avert  trag- 
edy in  over  207,000  medical  emergencies  since  the  Founda- 
tion's inception.  Speed  of  delivery  is  crucial  for  emergency 
treatment.  The  emergency  room  or  trauma  scene  is  a  diag- 
nostic epicenter  where  lives  are  won  or  lost  by  seconds. 
Emergency  physicians  and  paramedics  walk  a  tightrope 
between  protecting  a  patient's  right  to  privacy  and 
accessing  private  medical  information  when  he  or  she  is 
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unable  to  authorize  disclosure.  Medic  Alert  has  grappled  | 
with  this  privacy  issue  since  1956  and  although  100-per- 

cent  confidentiality  cannot  be  guaranteed,  we  will  always  ' 

err  on  the  side  of  saving  a  life.^^s  i 

The  Committee  recognizes  the  pressures  and  uncertainties  that 
may  arise  when  disclosures  are  requested  under  emergency  cir-  j 
cumstances.  Decisions  about  disclosure  must  often  be  made  instan- 
taneously and  without  the  ability  to  seek  consent  or  to  perform  I 
complete  verification  of  the  request.  The  language  of  the  emergency  i 
disclosure  section  has  been  written  with  this  in  mind.  The  health  i 
information  trustee  can  disclose  protected  health  information  under  i 
the  emergency  circumstances  specified  in  the  bill  when  the  trustee  i 
believes  on  reasonable  grounds  that  there  is  a  need.  A  trustee  who 
acts  in  good  faith  and  makes  a  reasonable  judgment  cannot  be  lia-  ! 
ble  if  later  events  reveal  that  the  judgment  was  in  error.  The  trust-  | 
ee's  judgment  must  be  assessed  for  its  reasonableness  based  on  the  , 
information  that  was  available  to  the  trustee  at  the  time  the  disclo-  | 
sure  was  made.  I 

Information  about  an  individual  that  is  disclosed  under  the  emer-  , 

gency  circumstances  section  may  not  be  used  in  any  administra-  | 

tive,  civil,  or  criminal  action  or  investigation  directed  against  the  . 

individual,  except  an  action  or  investigation  arising  out  of  and  re-  ■ 

lated  to  health  care  or  payment  for  health  care.  This  is  to  protect  j 

an  individual  when  information  may  be  disclosed  to  law  enforce-  | 

ment  officials  in  an  emergency.  It  is  not  intended  to  prevent  some  j 

who  receives  a  Tarasoff  warning  from  seeking  appropriate  protec-  j 

tion  from  the  courts.  Nor  is  the  same  information  that  has  been  | 
disclosed  otherwise  protected  from  use  for  that  purpose  by  the 

original  trustee.  j 

SECTION  5138.  JUDICIAL  AND  ADMINISTRATIVE  PURPOSES  i 

Section  5138  authorizes  three  tjrpes  of  disclosures  for  judicial  and  | 

administrative  purposes  that  can  be  made  by  health  benefit  plan  i 

sponsors,  health  care  providers,  health  oversight  agencies,  or  by  i 

trustees  who  have  obtained  protected  health  information  pursuant  I 

to  section  5137  (emergency  circumstances),  or  section  5140  (subpoe-  I 

nas,  warrants,  and  search  warrants).  i 

Two  of  the  disclosures  are  relatively  uncomplicated.  Disclosure  ! 

may  be  made  when  directed  by  a  court  in  connection  with  a  court-  | 
ordered  examination  of  an  individual.  The  court  can  direct  how  the 

information  is  to  be  used  to  accomplish  the  purpose  of  the  examina-  ' 

tion.  Disclosures  may  also  be  made  to  assist  in  the  identification  | 

of  a  dead  individual.  This  might  entail  the  use  of  dental  or  other  ' 

records  that  may  be  needed  in  the  identification  process.  Section  ! 

5138(b)(2)  requires  that  the  trustee  be  provided  with  written  state-  g 

ment  that  the  information  is  sought  to  assist  in  the  identification  1 

of  a  dead  individual.  \ 

The  third  type  of  disclosure  is  pursuant  to  the  Federal  Rules  of 
Civil  or  Criminal  Procedure  or  comparable  rules  of  other  courts  or 
administrative  agencies  in  connection  with  litigation  or  proceedings 
to  which  a  protected  individual  who  is  a  subject  of  the  information 
and  in  which  the  individual  has  placed  his  or  her  physical  or  men- 
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tal  condition  or  functional  status  in  issue.  In  this  type  of  litigation 
or  proceeding,  the  individual's  privacy  interest  is  necessarily  more 
limited  and,  at  the  same  time,  the  individual  is  already  in  a  posi- 
tion to  seek  appropriate  restrictions  from  the  court. 

Section  5138(b)  sets  out  a  process  that  will  provide  appropriate 
assurance  to  trustees  as  well  as  adequate  notice  to  the  protected 
individual.  A  person  seeking  protected  health  information  pursuant 
to  the  discovery  provision  is  required  to  notify  the  protected  indi- 
vidual or  the  individual's  attorney  of  the  request  for  information. 
The  person  seeking  the  information  must  also  provide  the  trustee 
in  possession  of  the  information  with  a  signed  document  attesting 
1)  that  the  subject  of  the  record  is  a  party  to  the  litigation;  2)  that 
the  individual  has  placed  his  or  her  physical  or  mental  condition 
or  functional  status  in  issue;  and  3)  the  date  on  which  the  subject 
of  the  record  was  notified  of  the  request.  The  person  seeking  the 
information  may  not  accept  it  from  the  trustee  until  ten  days  after 
the  notice  was  given  to  the  subject  of  the  record. 

This  procedure  will  assure  that  there  is  actual  notice  to  the  sub- 
ject of  protected  health  information  so  that  the  subject  will  have  an 
opportunity  to  object  in  a  timely  fashion.  Just  because  there  is  liti- 
gation that  involves  an  individual's  medical  information,  it  does  not 
mean  that  the  individual's  entire  medical  file  is  necessarily  rel- 
evant to  that  litigation.  If  there  is  a  dispute,  this  procedure  will 
allow  it  to  be  resolved  by  the  tribunal  considering  the  matter.  The 
general  rule  in  section  5131(c)(1)  that  disclosures  must  be  limited 
to  the  minimum  amount  of  information  necessary  to  accomplish  the 
purpose  for  which  the  information  is  to  be  used  is  fully  applicable, 
and  this  rule  may  be  used  by  patients  to  contest  the  scope  of  dis- 
covery requests. 

In  these  matters,  the  trustee  is  generally  in  the  position  of  a 
stakeholder.  It  may  or  may  not  have  an  independent  interest  to  as- 
sert, but  the  procedure  will  allow  the  trustee  to  assert  any  such  in- 
terest. The  burden  of  assuring  compliance  with  the  patient  notice 
requirement  falls  on  the  requester  and  not  on  the  trustee.  The  re- 
quester cannot  accept  any  of  the  information  until  the  ten  day  no- 
tice period  has  elapsed. 

Any  information  that  is  disclosed  under  section  5138  is  subject 
to  a  very  strict  limitation  on  further  use  and  disclosure.  The  infor- 
mation can  only  be  used  to  accomplish  the  purpose  for  which  the 
disclosure  was  made.  This  is  appropriate  because  a  person  who  suc- 
ceeds in  obtaining  protected  health  information  for  a  very  specific 
purpose  should  not  have  unlimited  ability  to  redisclose  the  informa- 
tion. The  information  may  be  used  in  the  course  of  litigation — sub- 
ject to  any  protective  orders  or  restrictions  imposed  by  the  court — 
but  collateral  uses  and  disclosures  are  prohibited.  A  litigant  who 
obtains  information  under  section  5138  becomes  a  health  informa- 
tion trustee  and  must  comply  with  applicable  provisions  of  the  Fair 
Health  Information  Practices  Part. 

SECTION  5139.  LAW  ENFORCEMENT 

Most  needs  of  law  enforcement  agencies  for  protected  health  in- 
formation can  be  satisfied  through  the  use  of  compulsory  process. 
Before  protected  health  information  can  be  obtained  from  a  health 
information  trustee,  however,  the  agency  must  usually  serve  a  copy 
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of  the  process  upon  the  patient,  who  may  challenge  it  in  court. 
There  are  several  circumstances  under  which  notice  to  the  patient 
is  either  unnecessary  or  would  prevent  the  acquisition  of  medical 
information  by  police  in  a  timely  fashion.  Section  5139  recognizes 
three  types  of  disclosures  of  protected  health  information  that  any 
trustee  (other  than  a  health  information  service  organization)  may 
make  to  a  law  enforcement  agency  without  the  consent  of  the  pa- 
tient and  without  advance  notice  to  the  patient. 

The  first  is  when  medical  information  is  needed  for  use  in  an  in- 
vestigation or  prosecution  of  a  health  information  trustee.  Health 
care  fraud  has  become  a  large  problem,  and  governments  at  all  lev- 
els are  making  major  efforts  to  combat  it.  The  costs  of  fraud  are 
very  large  and  any  significant  interference  with  fraud  investiga- 
tions will  only  lead  to  further  increases  in  cost. 

Most  investigations  of  fraud  are  directed  at  doctors  or  institu- 
tional care  providers,  and  it  is  rare  for  a  patient  to  be  a  target. 
Fraud  investigation  frequently  requires  large  numbers  of  patient 
records  in  order  to  establish  patterns  of  illegal  activity.  Notice  to 
all  patients  whose  records  are  inspected  would  not  only  be  adminis- 
tratively burdensome,  but  would  also  be  unsettling  to  patients.  If 
every  patient  of  a  particular  doctor  or  clinic  received  a  notice  about 
an  impending  investigation,  many  would  become  unduly  alarmed 
and  might  unfairly  conclude  that  their  doctor  was  involved  in 
criminal  activity.  Such  a  notice  might  also  disrupt  important  medi- 
cal treatment.  On  balance,  it  is  better  to  allow  for  access  for  this 
important  law  enforcement  purpose  without  notice  to  the  patient. 
The  other  provisions  of  section  5139  described  below  offer  adequate 
protection  for  the  privacy  rights  of  patients. 

The  second  type  of  disclosure  that  is  permitted  under  section 
5139  is  in  connection  with  criminal  activity  committed  against  a 
trustee  or  an  affiliated  person  of  the  trustee  or  on  premises  con- 
trolled by  the  trustee.  This  permits  a  trustee  to  report  to  the  police 
that  a  crime  has  been  committed  by  a  patient  on  the  premises  of 
the  trustee.  Also,  when  a  patient  threatens  or  harms  a  trustee  em- 
ployee regardless  of  the  location,  disclosures  are  likewise  per- 
mitted. This  is  normal  reporting  of  criminal  activity  that  might  be 
made  by  any  person  who  witnesses  or  is  a  victim  of  a  crime.  An 
example  is  where  an  inpatient  criminally  assaults  another  inpa- 
tient. Even  though  the  information  about  the  assault  will  be  part 
of  the  medical  information  maintained  by  the  trustee,  the  informa- 
tion may  be  reported  to  the  police.  Nothing  in  section  5139  pre- 
vents a  trustee  from  reporting  criminal  activity  committed  by  em- 
ployees or  visitors. 

Information  about  totally  unrelated  criminal  activity  that  a  pa- 
tient confides  in  his  physician  is  not  disclosable  under  this  section. 
An  example  is  where  a  patient  in  the  course  of  treatment  informs 
his  physician  of  illegal  narcotics  activity.  It  is  not  a  physician's  role 
to  report  such  information  to  the  police.  Of  course,  if  a  physician 
learns  of  activity  that  involves  a  threat  to  the  life  or  physical  safety 
of  an  individual,  it  may  be  appropriate  for  the  physician  to  report 
the  information.  This  type  of  disclosure  is  permitted  under  the 
emergency  provisions  of  section  5137.  However,  under  other  less 
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compelling  circumstances,  communications  between  a  patient  and 
a  physician  should  remain  confidential.  ^29 

Finally,  medical  information  may  be  disclosed  if  it  is  needed  to 
determine  whether  a  crime  has  been  committed  by  a  person  other 
than  the  patient  or  the  nature  of  such  crime.  This  provision  is  in- 
tended to  permit  information  about  the  victim  of  a  crime  to  be 
made  available  in  a  timely  fashion  in  order  to  allow  police  to  fully 
investigate  a  crime  or  to  allow  prosecutors  to  determine  the  proper 
charge.  For  some  crimes,  the  severity  of  the  victim's  injuries  will 
be  the  determining  factor  in  making  a  formal  legal  charge  against 
a  suspect.  For  medical  information  to  be  relevant,  the  crime  will 
normally  involve  bodily  injury  to  the  patient. 

As  with  all  other  disclosures  that  are  permitted  to  be  made  with- 
out the  consent  of  the  patient,  no  trustee  is  required  to  make  a  dis- 
closure except  where  compelled  by  another  law.  A  request  by  police 
for  information  that  may  be  disclosed  under  section  5139  is  not 
compulsory  unless  some  other  law  makes  the  disclosure  mandatory. 
Trustees  may  exercise  discretion  in  deciding  whether  the  informa- 
tion that  the  police  have  requested  should  be  disclosed. 

Any  disclosures  for  identification  or  location  purposes  are  limited 
to  information  needed  for  such  purposes.  When  police  are  attempt- 
ing to  locate  an  individual,  there  is  no  need  for  a  trustee  to  disclose 
any  protected  health  information  other  than  an  address  and  per- 
haps other  relevant  identification  information.  Confidential  commu- 
nications, diagnoses,  and  other  specific  information  cannot  be  dis- 
closed. 

Another  category  of  disclosure  to  law  enforcement  authority  is 
permitted  for  a  narrower  class  of  health  information  trustees.  All 
trustees  other  than  health  information  service  organizations,  public 
health  authorities,  and  health  researchers  may  disclose  information 
to  assist  in  the  identification  or  location  of  a  victim,  fugitive,  or  wit- 
ness in  a  law  enforcement  inquiry.  There  are  two  basic  cir- 
cumstances under  which  this  type  of  disclosure  might  occur.  The 
first  is  when  an  identified  suspect,  fugitive,  or  witness  is  being 
sought  by  the  police.  A  trustee  may  respond  to  an  inquiry  about 
the  present  whereabouts  of  such  an  individual.  A  hospital  cannot 
be  permitted  to  become  a  sanctuary  for  criminals  or  others  wanted 
by  law  enforcement  agencies.  A  patient's  objection  to  the  disclosure 
of  his  presence  under  section  5134  is  not  effective  under  section 
5139  as  to  law  enforcement  agencies. 

In  order  for  a  law  enforcement  agency  to  obtain  information 
under  the  provisions  described  above,  the  agency  must  provide  the 
trustee  with  a  written  certification  signed  by  a  supervisory  official 
of  a  rank  designated  by  the  head  of  the  agency  specifying  the  infor- 
mation requested  and  stating  that  the  information  is  needed  for  a 

j     lawful  purpose  under  this  section.  A  request  that  asks  for  all  infor- 
mation in  a  medical  record  will  not  in  all  circumstances  satisfy  the 

I     requirement  that  the  request  be  specific. 

I  There  are  two  other  provisions  that  authorize  disclosure  to  law 
I  enforcement  agencies.  Section  5139(b)(2)  and  (b)(3)  permits  health 
I     care  providers  and  selected  other  trustees  to  comply  with  laws  that 


Section  5194(fX2)  expressly  preserves  any  law  that  requires  the  reporting  of  abuse  or  ne- 
glect information,  and  these  laws  will  be  an  exception  to  the  general  rule  in  section  5139. 
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require  the  reporting  of  specific  health  care  information  to  law  en-  i 

forcement  authorities.  This  covers  gunshot  wound  reporting  laws  j 

and  similar  statutes.  Subsection  (bX3)  permits  federal  facilities  to  ' 

comply  with  these  laws  even  though  they  may  not  legally  required  \ 

to  do  so.  ' 

Protected  health  information  disclosed  under  this  section  may  I 
not  be  used  in  any  administrative,  civil,  or  criminal  action  or  inves-  I 
tigation  against  the  patient  except  one  arising  out  of  and  directly  j 
relating  to  the  action  or  investigation  for  which  the  information 
was  obtained.  This  limitation  does  not  prevent  use  of  information 
obtained  under  this  section  about  a  patient  who  is  involved  either  | 
alone  or  with  his  doctor  in  fraudulent  activity  against  the  health 
program  being  investigated.  Information  obtained  under  section 
5139  may  not  be  otherwise  used  or  disclosed  by  the  agency  unless 
the  disclosure  is  necessary  to  fulfill  the  purpose  for  which  the  infor- 
mation was  obtained  and  is  not  otherwise  prohibited  by  law.  | 

SECTION  5140.  SUBPOENAS,  WARRANTS,  AND  SEARCH  WARRANTS  I 

Compliance  by  health  information  ti-ustees  with  subpoenas,  sum-  | 
monses,  warrants,  and  search  warrants  is  provided  for  section  j 
5140.  The  section  does  not  give  a  trustee  new  authority  to  refuse 
to  comply  with  valid  legal  process,  but  it  does  establish  some  pre- 
requisites for  those  seeking  information  by  legal  process  and  some  , 
limitations  on  the  use  of  information  so  obtained.  j 

For  most  types  of  legal  process,  specific  access  procedures  (in-  ; 
eluding  patient  notice  and  challenge  rights)  are  set  out  in  section  | 
5151  and  5153.  These  procedures  are  described  elsewhere  in  this  i 
report.  In  general,  a  person  seeking  protected  health  information  ' 
from  a  health  information  trustee  by  legal  process  must  provide  the  j 
trustee  with  written  certification  that  the  applicable  access  proce- 
dures have  been  followed.  The  certification  notifies  the  trustee  that  j 
it  may  comply  with  the  process  without  liability  under  the  Fair  | 
Health  Information  Practices  Part.  Any  person  who  certifies  falsely  ' 
may  be  subject  to  civil  or  criminal  penalties.  { 

Section  5140(a)(3)  makes  clear  that  patient  notification  and  relat-  j 
ed  requirements  do  not  apply  if  there  is  a  basis  in  a  disclosure  sec-  | 
tion  of  the  Part  for  disclosing  patient  information,  as  long  as  the  | 
conditions  in  that  section  authorizing  the  disclosure  are  met.  In 
these  instances,  the  requirements  of  the  other  sections  authorizing 
the  disclosure  provide  safeguards  for  the  individuals.  Notice  to  in- 
dividuals simply  because  compulsory  process  was  being  used,  i 
would  serve  no  useful  purpose,  and  might  wrongly  convey  the  im-  j 
pression  that  the  patient  was  somehow  being  investigated.  \ 

For  example,  trustees  can  disclose  protected  health  information  j 
to  health  oversight  agencies  under  section  5133,  pursuant  to  the 

conditions  specified  in  that  section.  An  oversight  agency  may  have  | 

subpoena  authority  to  compel  disclosure  by  a  trustee.  For  example,  | 

Inspectors  General  have  such  authority  in  the  Inspector  Greneral  ■ 

Act  of  1978.130  Likewise,  providers  and  others  may  disclose  infor-  I 

mation  to  public  health  agencies  for  the  investigation  of  disease  or  [ 
other  health  and  safety  hazards  under  section  5135.  In  many 

States,  public  health  agencies  have  subpoena  or  warrant  authority  i 


'30  See  5  U.S.C.  App.  §6(aX4)  (1988). 
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to  obtain  information.  Should  a  public  health  agency  have  to  use 
i   that  authority,  the  bill  does  not  require  that  the  public  health 
;   agency  comply  with  the  access  and  challenge  procedures  under  sec- 
tion 5153,  as  long  as  the  request  complies  with  section  5135. 

The  National  Transportation  Safety  Board  conducts  investiga- 
tions of  certain  accidents  (such  as  airplane  and  train  crashes),  in 
an  effort  to  improve  the  public  health  and  safety  by  making  rec- 
ommendations for  safety  improvements,  and  it  uses  medical 
records  in  its  investigations.  It  has  authority  to  subpoena 
records.  Since  its  use  of  the  subpoena  authority  would  be  in  the 
course  of  a  public  health  investigation,  with  disclosure  authorized 
under  section  5135,  notification  to  the  individuals  would  not  be 
necessary. 

The  Occupational  Safety  and  Health  Administration  and  the  Na- 
tional Institute  for  Occupational  Safety  and  Health  have  authority 
to  compel  disclosure  of  health  records  for  their  public  health  inves- 
tigations and  occupational  health  research,  ^  32  and  the  Mine  Safety 
and  Health  Administration  has  similar  authority.  If  inquiries 
under  these  authorities  qualify  as  public  health  investigations  and 
comply  with  section  5135,  or  qualify  as  research  and  comply  with 
the  requirements  of  5136,  the  individual  notification  provisions  of 
sections  5151  through  5153  are  not  applicable  if  the  agencies  uti- 
lize their  subpoena  authority. 

Any  person  obtaining  protected  health  information  through  legal 
process  in  accordance  with  section  5140  becomes  a  health  informa- 
tion trustee  and  is  subject  to  the  general  requirements  of  the  Fair 
Health  Information  Practices  Part.  A  person  who  so  obtains  pro- 
tected health  information  may  not  use  or  disclose  the  information 
in  any  administrative,  civil,  or  criminal  action  or  investigation  di- 
rected against  the  individual,  except  an  action  or  investigation  aris- 
ing out  of  and  directly  related  to  the  inquiry  for  which  the  informa- 
tion was  obtained. 

There  are  special  rules  governing  use  of  protected  health  infor- 
mation by  grand  juries.  The  restrictions  on  grand  jury  subpoenas 
originated  with  recommendations  of  the  Privacy  Protection  Study 
Commission.  The  Commission's  report  includes  a  brief  history  of 
the  origin  and  use  of  grand  juries  and  this  observation: 

In  essence,  the  Grand  Jury  subpoena  duces  tecum  has 
become  little  more  than  an  administrative  tool,  its  connec- 
tion with  the  traditional  functions  of  the  Grand  Jury  at- 
tenuated at  best.  One  might  characterize  its  current  use  as 
a  device  employed  by  investigators  to  circumvent  the  strin- 
gent requirements  which  must  be  met  to  obtain  a  search 
warrant.  Documents  are  subpoenaed  without  the  knowl- 
edge, not  to  mention  approval,  of  the  Grand  Jury.  Docu- 
ments summoned  in  the  Grand  Jury's  name  may  never  be 
presented  to  it.  Indeed,  the  evidence  obtained  may  not 
even  reach  an  attorney  for  the  government;  it  may  simply 
be  examined  and  retained  by  investigative  agents  for  un- 
specified future  uses.  The  unique  powers  of  inquiry  and 


'3' 49  U.S.C.  §1903  (1988). 
'32  29  U.S.C.  §§657,  669  (1988). 
'33  30  U.S.C.  §813(1988). 
'34PPSC  Report. 
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compulsion,  theoretically  justified  by  the  secrecy  and  lim-  j 

ited  effect  of  Grand  Jury  deliberations,  have  become  a  gen-  I 

eralized  resource  for  Federal  investigative  activities,  i^s  ^ 

A  similar  conclusion  was  reached  in  a  recent  decision  by  the  ' 

Court  of  Appeals  for  the  First  District  of  Texas.     jj^  ^  concurring  i 

opinion,  all  three  judges  who  decided  the  case  offered  these  obser-  I 

vations  about  the  serious  threats  to  privacy  that  are  presented  by  j 

the  unrestricted  use  of  grand  jury  subpoenas:  ^ 

The  unrestricted  use  of  grand  jury  subpoenas  to  obtain  | 
medical  records  is  a  serious  threat  to  privacy.  There  is  al- 
most no  limit  on  what  can  be  obtained  without  the  knowl-  j 
edge  or  approval  of  any  court,  any  grand  jury,  any  super-  j 
visor  in  a  prosecutor's  office,  or  the  person  affected.  A  pros-  | 
ecutor's  right  to  snoop  is  not  limited  by  the  seriousness  of  i 
the  crime — Texas  grand  juries  may  investigate  any  crime,  | 
including  the  most  minor  misdemeanors.  Although  DWI  is  ' 
not  a  minor  offense,  this  case  is  a  good  example.  This  ' 
grand  jury  subpoena  was  issued  for  a  misdemesmor  of-  i 
fense.  ...  ' 

Imagine  the  opportunities  for  political  vendettas,  per- 
sonal revenge,  and  garden  variety  bureaucratic  abuse  of 

power.  If  a  partisan  prosecutor  wanted  to  know  if  a  presi-  | 

dential  candidate  of  the  opposite  party  had  cancer,  or  was  i 

cured  of  it,  he  or  she  could  subpoena  hospital,  laboratory,  | 
or  physicians'  records.  If  the  leaders  of  the  executive 

branch  of  government  wanted  to  see  who  leaked  the  Penta-  ' 
gon  Papers,  they  would  not  have  to  burglarize  the  office  of 

Daniel    Ellsberg's  psychiatrist — a    friendly    prosecutor  j 

should  simply  subpoena  the  records.  If  a  partisan  prosecu-  i 

tor  wanted  to  know  whether  a  political  opponent  had  been  j 

treated  for  mental  illness  or  for  a  venereal  disease,  he  or  i 

she  could  subpoena  the  opponent's  medical  records.  Under  1 

our  law,  there  is  not  requirement  that  a  grand  jury  even  I 

be  in  session,  [citation  omitted]  There  is  no  advance  show-  I 

ing  required  that  the  material  subpoenaed  may  be  relevant  I 

to  an  existing  or  contemplated  investigation,  or  even  that  j 

there  be  an  existing  or  contemplated  criminal  investiga-  i 
tion.  Judicial  authority  over  the  process  is  almost  totally 

lacking.  I  know  of  no  other  part  of  the  judicial  process  \ 

more  open  to  abuse.  j 

The  court  recommended  the  enactment  of  narrowly  drafted  legis-  i 
lation  to  put  reasonable  limits  upon  the  use  of  grand  jury  subpoe- 
nas for  things  as  intimate  as  health  records.  The  Privacy  Protection  | 
Study  Commission  offered  similar  recommendations,  ^^s  The  provi-  ! 
sions  of  §  130(b)  are  derived  from  recommendations  made  by  the 
Privacy  Protection  Study  Commission.  The  restrictions  on  grand  ! 
jury  subpoenas  will  limit  or  eliminate  abusive  grand  jury  subpoe-  i 


'35  Id.  at  377. 

^^Thurman  v.  Texas,  861  S.W.  2d  96  (1993). 
'3nd. 

'38  Id.  at  378. 
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nas  for  protected  health  information  but  will  not  interfere  with  le- 
gitimate grand  jury  investigations. 

The  restrictions  in  section  5140(d)  are  intended  to  make  sure 
that  grand  jury  subpoenas  are  only  used  for  legitimate  grand  jury 
purposes,  to  limit  use  of  protected  health  information  to  the  pur- 
pose for  which  the  grand  jury  obtained  it,  and  to  require  that  the 
information  be  returned  to  the  trustee  or  destroyed. 

Most  health  information  trustees  are  authorized  to  comply  with 
legal  process.  There  are  three  types  of  trustees— health  information 
service  organizations,  public  health  authorities,  and  health  re- 
searchers— ^who  are  not  so  authorized.  Any  protected  health  infor- 
mation in  the  possession  of  these  trustees  will  have  originated  with 
a  health  care  provider.  Legal  process  for  the  records  should  be  di- 
rected to  the  provider  and  not  to  a  secondary  source.  For  example, 
allowing  disclosure  of  records  in  any  type  of  central  repository — 
like  a  health  information  service  organization — may  constitute  a 
circumvention  of  the  confidentiality  interests  of  patients  as  well  as 
of  the  interests  of  providers.  Health  care  providers  may  have  inter- 
ests in  protecting  the  confidentiality  of  their  own  records  that  over- 
lap with  or  are  independent  of  the  interest  of  their  patients.  It  is 
desirable,  where  practicable,  for  providers  to  be  involved  in  re- 
quests for  treatment  records.  This  is  especially  true  for  records 
such  as  mental  health  treatment  notes. 

It  is  important  that  any  such  repositories  not  become  general 
sources  of  patient  information  for  other  purposes,  especially  by  sub- 
poena. Exempting  these  trustees  from  complying  with  compulsory 
process  will  help  to  accomplish  this.  The  exemption  will  not  protect 
these  trustees  from  compulsory  process  that  is  used  to  enforce  a 
type  of  access  that  would  otherwise  be  permitted  under  Subpart  B 
without  compulsory  process. 

SECTION  5141.  HEALTH  INFORMATION  SERVICE  ORGANIZATIONS 

Section  5141  provides  that  health  information  trustees  may  dis- 
close protected  health  information  to  a  health  information  service 
organization  for  the  purpose  of  permitting  the  organization  to  per- 
form a  function  authorized  by  the  Secretary.  At  the  time  that  the 
Fair  Health  Information  Practices  Part  of  H.R.  3600  was  approved 
by  the  Committee  on  Government  Operations,  the  nature,  function, 
and  designation  of  health  information  service  organizations  was 
not  yet  established.  This  section  recognizes  that  there  may  be  a 
new  type  of  organization  that  will  serve  a  function  in  the  collection, 
transmission,  or  use  of  protected  health  information.  Until  the 
functions  are  set  elsewhere,  the  terms  under  which  information  can 
flow  cannot  be  defined  with  any  precision. 

SECTION  5151.  ACCESS  PROCEDURES  FOR  LAW  ENFORCEMENT 
SUBPOENAS,  WARRANTS,  AND  SEARCH  WARRANTS 

There  are  three  different  procedures  for  legal  process  under  the 
Fair  Health  Information  Practices  Part.  Section  5151  sets  out  the 
procedures  for  warrants  and  for  legal  process  used  for  law  enforce- 


'39 See  generally  lOM  Health  Data  Rejwrt  (discussing  the  role  of  health  database  organiza- 
tions). 
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ment  purposes.  Section  5153  sets  out  the  procedures  for  all  other 
legal  process. 

Section  5151(b)  sets  out  the  procedures  that  apply  to  judicial  and 
administrative  warrants  and  search  warrants.  Within  30  days  after 
the  date  that  a  warrant  seeking  medical  information  is  served  on 
a  health  information  trustee,  the  government  authority  that  ob- 
tained the  information  must  serve  the  patient  with  a  copy  of  the 
warrant  or  must  mail  a  copy  to  the  last  known  address  of  the  pa- 
tient. No  advance  notice  to  the  patient  is  required,  and  no  new 
challenge  rights  are  provided  for  warrants.  This  provision  is  not  in- 
tended to  override  any  legislation  restricting  the  use  of  warrants 
to  obtain  information  from  third  party  record  keepers. 

The  most  elaborate  access  procedures  in  the  bill  are  for  adminis- 
trative and  judicial  summonses  and  subpoenas  issued  for  law  en- 
forcement purposes.  These  procedures  are  found  in  section  5151. 
The  complexity  is  appropriate  because  a  patient's  privacy  interest 
are  most  directly  threatened  by  the  possible  use  of  protected  health 
information  against  the  patient  in  a  judicial  or  administrative  ac- 
tion or  investigation.  In  addition,  the  occasional  needs  of  law  en- 
forcement agencies  for  secrecy  or  dispatch  in  obtaining  information 
must  be  accommodated. 

A  government  authority  may  only  obtain  protected  health  infor- 
mation for  use  in  a  law  enforcement  inquiry  through  legal  process 
if  there  is  probable  cause  to  believe  that  the  information  will  be  rel- 
evant to  the  inquiry  being  conducted  by  the  authority.  This  stand- 
ard was  chosen  because  it  is  identical  to  the  access  standard  in  the 
Video  Privacy  Protection  Act  of  1988.1''^  There  is  no  reason  why 
health  records  should  receive  lesser  protection  than  video  renti 
records. 

On  or  before  the  date  that  the  process  is  served  on  the  health 
information  trustee,  the  government  authority  must  serve  on  the 
patient,  or  mail  to  his  last  known  address,  a  copy  of  the  process 
together  with  a  notice  of  the  patient's  right  to  challenge  the  proc- 
ess. The  Secretary  is  required  to  prepare  a  notice  of  patient's  rights 
under  section  5155(1),  and  all  notices  given  to  patients  must  in- 
clude all  of  the  information  that  is  in  the  Secretary's  notice. 

If  thirty  days  have  passed  from  the  date  of  service  of  a  copy  of 
the  process  upon  the  patient,  or  from  the  date  of  mailing,  and  no 
challenge  has  been  initiated  by  the  patient  as  provided  in  section 
5152,  then  the  government  authority  may  obtain  the  protected 
health  information  from  a  health  care  trustee.  If  a  timely  challenge 
has  been  filed,  then  the  process  may  only  be  enforced  by  order  of 
a  court. 

With  the  approval  of  a  court,  the  government  authority  may 
delay  notifying  a  patient  that  protected  health  information  about 
the  patient  is  being  sought.  An  application  for  delay  must  state 
with  reasonable  specificity  why  the  delay  is  being  sought.  The  court 
may  grant  the  delay  if  (1)  the  inquiry  is  being  conducted  within  the 
lawful  jurisdiction  of  the  government  authority;  (2)  there  is  prob- 
able cause  to  believe  that  the  information  being  sought  will  be  rel- 
evant to  a  legitimate  law  enforcement  inquiry;  (3)  the  government 
authority's  need  for  the  information  outweighs  the  patient's  privacy 


'*>18  U.S.C.  §2710(bX3)  (1988). 
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interest;  and  (4)  there  are  reasonable  grounds  to  believe  that  re- 
ceipt of  a  notice  by  the  patient  will  result  in  (a)  endangering  the 
life  of  physical  safety  of  any  individual,  (b)  flight  from  prosecution, 
(c)  destruction  of  or  tampering  with  evidence  or  the  information 
being  sought,  or  (d)  intimidation  of  potential  witnesses. 

Any  court  order  delaying  notice  to  the  patient  may  also  prohibit 
a  health  information  trustee  from  revealing  the  request  for  infor- 
mation to  the  patient.  Extensions  of  a  delay  order  may  be  obtained 
in  the  same  fashion  as  the  original  application.  When  the  period 
of  delay  has  expired,  the  government  authority  must  serve  upon 
the  patient  a  copy  of  the  process,  the  notice  of  patient  rights,  a 
copy  of  the  application  for  delay,  and  a  copy  of  the  court  order. 

SECTION  5152.  CHALLENGE  PROCEDURES  FOR  LAW  ENFORCEMENT 

SUBPOENAS 

Section  5152  sets  out  the  procedures  for  a  challenge  to  a  law  en- 
forcement summons  or  subpoena.  A  patient  may  file  a  challenge  in 
an  appropriate  court  without  being  required  to  pay  any  filing  fee. 
In  the  case  of  a  state  judicial  subpoena,  the  challenge  may  be  filed 
in  any  court  of  competent  jurisdiction. 

For  federal  judicigJ  subpoenas,  a  patient  challenge  may  be  filed 
in  any  federal  court  of  competent  jurisdiction.  In  most  instances 
under  the  Federal  Rules  of  Civil  and  Criminal  Procedure,  this  will 
mean  the  court  that  issued  the  subpoena.  For  other  summonses 
and  subpoenas  issued  under  the  authority  of  the  United  States 
(chiefly  administrative  summonses),  the  patient  may  file  in  the 
United  States  district  court  for  the  district  in  which  the  patient  re- 
sides or  in  which  the  summons  or  subpoena  was  issued,  or  in  an- 
other United  States  Court  of  competent  jurisdiction. 

A  patient's  challenge  will  be  in  the  form  of  a  motion  to  quash  the 
summons  or  subpoena.  The  patient  must  serve  a  copy  of  the  motion 
upon  the  government  authority.  Once  the  motion  to  quash  has  been 
filed,  the  burden  of  going  forward  and  the  burden  of  justifying  the 
process  fall  upon  the  government  authority  seeking  the  informa- 
tion. The  government  authority  may  respond  to  the  motion  to 
quash  by  filing  with  the  court  affidavits  and  other  sworn  docu- 
ments to  sustain  the  validity  of  the  summons  or  subpoena.  Within 
five  days  after  the  filing  by  the  government  authority,  the  patient 
may  file  affidavits  and  other  sworn  documents  in  response  to  the 
authorities  filing.  With  the  permission  of  the  court,  both  parties 
may  proceed  in  camera. 

In  deciding  the  motion,  the  court  may  conduct  any  proceeding 
that  it  deems  appropriate.  All  proceedings  should  be  completed  and 
a  decision  rendered  within  ten  days  of  the  date  of  the  government 
authoritys  filing,  but  the  court  may  extend  the  time  limits  at  its 
discretion.  However,  a  failure  of  the  court  to  rule  on  a  motion  with- 
in ten  days  does  not  operate  as  a  denial  of  the  motion. 

A  court  may  deny  a  patient's  timely  motion  to  quash  if  it  finds 
that  there  is  probable  cause  to  believe  that  the  law  enforcement  in- 
quiry is  legitimate  and  that  the  information  being  sought  is  rel- 
evant to  that  inquiry.  Notwithstanding  such  a  finding,  a  court  may 
nevertheless  grant  the  patient's  motion  if  it  finds  that  the  patient's 
privacy  interest  outweighs  the  government  authority's  need  for  the 
information. 
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This  balancing  test  has  been  included  because  the  government's 
need  for  protected  health  information  about  a  patient  is  not  always 
more  important  than  the  patient's  interest  in  the  privacy  of  his 
records.  When  a  medical  record  contains  sensitive  information 
about  the  patient,  and  the  law  enforcement  inquiry  does  not  in- 
volve a  major  matter  or  the  information  is  not  of  great  importance 
to  the  inquiry,  a  court  may  decide  to  grant  the  patient's  motion  to 
quash  despite  the  relevance  of  the  information.  The  burden  of  dem- 
onstrating that  the  privacy  interest  outweighs  the  government 
authority's  need  falls  on  the  patient. 

In  balancing  the  patient's  privacy  interest,  the  court  may  con- 
sider (1)  the  particular  purpose  for  which  the  information  was  col- 
lected by  the  medical  care  facility;  (2)  the  degree  to  which  disclo- 
sure of  the  information  will  embarrass,  injure,  or  invade  the  pri- 
vacy of  the  patient;  (3)  the  effect  of  the  disclosure  of  the  patient's 
future  health  care;  (4)  the  importance  of  the  inquiry  being  con- 
ducted by  the  government  authority  and  the  importance  of  the  in- 
formation to  that  inquiry;  and  (5)  any  other  factor  deemed  relevant 
by  the  court. 

The  balancing  test  may  be  used  to  deny  the  government  author- 
ity access  to  some  or  all  of  the  protected  health  information  about 
a  patient.  When  the  disclosure  of  information  would  tend  to  un- 
fairly stigmatize  a  patient,  a  judge  may  find  it  appropriate  to  pro- 
tect the  patient's  interest  in  privacy.  For  example,  information 
about  psychiatric  care,  drug  abuse  or  alcoholism,  sexually-transmit- 
ted disease  treatment,  and  similar  matters  are  examples  of  t5^es 
of  data  that  are  more  sensitive  and  personal.  On  the  other  hand, 
directory  information  about  a  patient's  hospital  stay  would  in  most 
instances  be  less  sensitive. 

If  a  patient  files  a  motion  to  quash  and  substantially  prevails, 
the  court  may  assess  against  a  Federal  government  authority  attor- 
ney fees  and  court  costs  reasonably  incurred  by  the  patient.  Any 
court  ruling  denying  a  motion  to  quash  shall  not  be  deemed  a  fin^ 
order  in  any  legal  proceeding  initiated  against  the  patient  arising 
out  of  or  based  on  the  protected  health  information  disclosed. 

All  summonses  and  subpoenas  for  protected  health  information — 
other  than  law  enforcement  summonses  and  subpoenas  subject  to 
section  5151 — ^are  governed  by  the  rules  established  in  section 
5153.  This  includes  subpoenas  issued  on  behalf  of  a  government 
authority  which  is  not  acting  in  a  law  enforcement  capacity.  No 
person  may  obtain  protected  health  information  from  a  health  in- 
formation trustee  unless  there  are  reasonable  grounds  to  believe 
that  the  information  will  be  relevant  to  a  lawsuit  or  other  judicial 
or  administrative  proceeding. 

SECTION  5153.  ACCESS  AND  CHALLENGE  PROCEDURES  FOR  OTHER 

SUBPOENAS 

The  patient  notice  procedures  under  section  5153  are  essentially 
similar  to  the  procedures  for  law  enforcement  subpoenas.  There  is, 
however,  no  provision  for  delay  of  notice.  The  patient  may  chal- 
lenge a  summons  or  subpoena  issued  under  section  5153  by  filing 
a  motion  to  quash  in  a  court  of  competent  jurisdiction  and  by  serv- 
ing a  copy  of  the  motion  of  the  person  seeking  the  information. 
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The  patient  may  oppose  or  seek  to  limit  the  summons  or  sub- 
poena on  any  ground  that  would  otherwise  be  available  if  the  pa- 
tient were  in  possession  of  the  information.  This  would  include  but 
not  necessarily  be  limited  to  the  reasons  for  seeking  a  protective 
order  listed  in  Rule  26(c)  of  the  Federal  Rules  of  Civil  Procedure. 
These  include  annoyance,  embarrassment,  oppression,  or  undue 
burden.  However,  a  patient  may  not  assert  the  rights  of  a  medical 
care  facility. 

The  burden  in  these  cases  is  different  than  for  law  enforcement 
subpoenas.  The  burden  of  showing  reasonable  grounds  to  believe 
that  the  information  will  be  relevant  to  a  lawsuit  or  other  proceed- 
ing falls  on  the  proponent  of  the  subpoena.  This  parallels  the  law 
enforcement  subpoenas  section.  The  proponent  also  bears  the  bur- 
den of  demonstrating  that  the  need  for  the  information  outweighs 
the  privacy  interest  of  the  individual.  As  a  result,  the  proponent 
can  be  denied  access  even  if  the  patient  never  speaks.  The  specific 
considerations  to  be  evaluated  in  assessing  a  patient's  privacy  in- 
terest are  virtually  the  same  as  for  law  enforcement  subpoenas. 

SECTION  5154.  CONSTRUCTION  OF  SUBPART;  SUSPENSION  OF  STATUTE 

OF  LIMITATIONS 

Section  5154(a)  makes  it  clear  that  none  of  the  subpoena  chal- 
lenge procedures  affect  the  right  of  a  health  information  trustee  to 
challenge  a  request  for  protected  health  information.  Trustees  may 
have  independent  grounds  for  challenging  compulsory  process.  At 
the  same  time,  nothing  is  intended  to  entitle  protected  individuals 
to  assert  the  rights  of  health  information  trustees. 

Section  5154(b)  provides  if  an  individual  challenges  a  govern- 
ment subpoena  for  protected  health  information  in  a  manner  that 
has  the  effect  of  delaying  access  by  the  government,  any  applicable 
statute  of  limitations  for  a  civil  or  criminal  action  is  extended  for 
the  period  of  the  challenge. 

SECTION  5155.  RESPONSIBILITIES  OF  THE  SECRETARY 

Section  5155  provides  that  the  Secretary  of  Health  and  Human 
Services  shall  develop  notices  for  use  under  section  5151  and  sec- 
tion 5153  that  must  be  used  to  inform  protected  individual  about 
their  challenge  rights  for  compulsory  process. 

SECTION  5161.  PAYMENT  CARD  AND  ELECTRONIC  PAYMENT 
TRANSACTIONS 

The  Fair  Health  Information  Practices  Part  offers  comprehensive 
protections  for  identifiable  health  information  that  is  generated 
through  or  becomes  a  part  of  the  health  care  system.  Most  pay- 
ments for  health  care  services  will  be  handled  through  insurers 
who  are  directly  covered  by  the  Part.  As  a  result,  the  information 
disclosed  to  them  will  be  fully  covered  by  the  Part's  protections. 
However,  when  payments  for  health  care  services  are  made  inde- 
pendently through  third  party  payment  mechanisms,  there  is  a  dis- 
tinct possibility  that  personal  health  information  could  lose  protec- 
tions as  payment  information  is  processed  outside  the  scope  of  the 
Part. 
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For  example,  when  an  individual  pays  for  health  services  with  a 
credit  card,  those  engaged  in  processing  the  credit  card  payment 
acquire  some  information  about  the  individual.  This  includes  the 
name  of  the  individual,  the  name  of  the  physician  ("merchant"), ^"^^ 
the  date  of  the  transaction,  and  the  amount  of  payment.  While  de- 
tailed information  about  the  goods  or  services  provided  to  the  cus- 
tomer may  not  be  included,  the  information  that  is  transmitted  is 
not  trivial.  The  specialty  of  a  physician  can  be  readily  determined 
from  public  sources.  This  may  indicate  the  tjrpe  of  treatment.  For 
example,  it  may  be  inferred  that  a  patient  of  an  oncologist  suffers 
from  cancer.  Other  inferences  can  be  made  about  a  patient  being 
treated  at  the  Betty  Ford  Center.  Additional  personal  health  data 
may  be  inferred  from  the  frequency  of  visits  and  the  amount  of 
pajrment. 

The  regular  compilation  of  health  payment  data  over  time  could 
result  in  the  establishment  of  personal  health  dossiers  that  are  not 
subject  to  any  legal  restrictions  on  use  or  disclosure.  This  is  not  a 
theoretical  possibility.  At  least  one  company  is  advertising  a  health 
care  credit  card  dedicated  to  the  payment  of  health  care  expenses. 
One  of  the  benefits  offered  by  this  card  issuer  is  an  itemized  listing 
of  expenses  that  could  be  used  for  tax  filing  or  household  budgeting 
expenses.  The  unrestricted  use  of  that  same  information  by  the 
card  issuer  could  result  in  significant  intrusions  into  the  privacy  in- 
terests of  individuals. 

The  use  of  credit/debit  cards  for  pa5maent  of  health  care  products 
and  services  is  increasing.  According  to  Mastercard  International, 
more  physicians  are  requiring  patients  to  pay  for  services  at  the 
time  of  delivery.  Coinsurance  is  rising  and  deductibles  are  increas- 
ing as  well.  Mastercard's  sales  volume  for  health  care  exceeds  two 
billion  dollars  and  is  increasing  steadily. 

It  has  already  been  documented  in  this  report  that  the  direct 
marketing  industry  is  actively  engaged  in  the  selling  of  mailing 
lists  that  include  specific  health  information  about  identified  indi- 
viduals. Some  of  the  same  type  of  health  information  that  is  al- 
ready being  bought  and  sold  routinely  could  be  derived  from  credit 
card  and  other  payment  system  data.  In  order  to  protect  the  inter- 
ests of  individuals  receiving  and  paying  for  headth  care,  section 
5161  includes  specific  protections  against  misuse  of  health  data  de- 
rived from  the  payment  system.  The  intent  is  to  create  standard 
guidelines  that  will  support  the  continued  use  of  a  variety  of  pay- 
ment systems  in  the  health  industry  without  impinging  on  the  pri- 
vacy interests  of  patients. 

Section  5161  establishes  special  rules  for  payment  transactions. 
Trustees  may  disclose  limited  amoimts  of  protected  health  informa- 
tion for  pajrment  purposes  when  an  individual  presents  a  credit 
card,  debit  card,  other  payment  card  or  account  number,  or  author- 
izes other  electronic  payment  means.  The  presentation  by  the  indi- 
vidual of  a  card,  number,  or  acceptance  of  electronic  payment  is 
sufficient  authorization  for  the  trustee  to  begin  the  payment  proc- 


Information  provided  by  Mastercard  International  lists  sixteen  hesJth  care-related  mer- 
chant categories,  including  doctors  and  physicians;  chiropractors;  dental  and  medical  labora- 
tories; ambulance  services;  hearing  aid  sales  and  service,  and  orthopedic  goods — artificial  limb 
stores.  With  this  information,  it  is  possible  to  make  informed  determinations  about  the  general 
natvu^  of  health  care  products  and  services  that  have  been  provided  to  particxilar  patients. 
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ess.  There  is  no  requirement  that  a  formal  authorization  meeting 
the  terms  of  section  5132  be  executed. 

Once  the  individual  has  initiated  or  agreed  to  one  of  these  pay- 
ment methods,  the  trustee  is  authorized  to  disclose  only  such  pro- 
tected health  information  as  is  necessary  for  the  processing  of  the 
payment,  for  billing,  or  for  collection.  The  standard  information  tra- 
ditionally transmitted  as  part  of  a  credit  transaction  meets  this 
standard.  This  does  not,  however,  permit  the  disclosure  of  specific 
protected  health  information  by  the  trustee.  A  routine  transaction 
would  identify  the  patient,  the  service  provider,  the  date,  and  the 
amount.  The  address  and  telephone  number  of  the  individual  might 
be  also  disclosable,  but  only  when  needed  for  payment,  billing,  or 
collection  and  not  otherwise  prohibited  by  state  or  federal  law.  De- 
tails of  treatment,  diagnoses,  medical  history,  and  similar  protected 
health  information  will  not  qualify  for  disclosure  under  this  stand- 
ard. 

This  disclosure  authority  is  included  in  the  bill  because  of  the 
need  to  recognize  the  manner  in  which  pajnnents  are  normally  au- 
thorized by  individuals.  It  is  an  exception,  albeit  a  limited  one,  to 
the  Part's  usual  disclosure  rules,  and  it  should  be  narrowly  con- 
strued. The  recipients  of  the  data  (i.e.,  credit  card  processors, 
banks)  are  themselves  subject  to  the  specific  rules  of  the  credit/ 
debit/electronic  payment  provisions.  These  recipients  are  not  health 
information  trustees,  and  they  are  not  subject  to  the  other  require- 
ments of  the  Part.  Their  responsibilities  under  the  Fair  Health  In- 
formation Practices  Part  are  fully  described  in  section  5161.  ^"^^ 

Subsection  (b)  establishes  rules  on  use  and  disclosure  of  identifi- 
able information  obtained  through  payment  processing.  In  general, 
the  purpose  is  to  authorize  only  those  uses  and  disclosures  that  are 
"necessary*'  for  the  routine  processing  of  payments  and  the  conduct 
of  the  business  of  processing.  Other  uses  and  disclosures  -  such  as 
for  direct  marketing  by  the  processor  or  by  others,  for  the  develop- 
ment of  consumer  profiles,  for  prescreening,  for  credit  evaluation, 
or  for  other  purposes — are  prohibited. 

Information  may  be  used  or  disclosed  when  necessary  for  author- 
ization, settlement,  billing,  consumer  inquiries,  settlement  of  dis- 
putes, or  collection  of  amounts  charged  or  debited.  Authorization  is 
an  act  by  a  merchant  to  communicate  by  telephone  or  electronically 
basic  transaction  information  (account  number,  merchant  identi- 
fier, transaction  amount)  to  obtain  approval  to  proceed  with  the 
transaction.  Settlement  means  the  process  by  which  the  merchant's 
bank  collects  funds  due  to  the  merchant  from  the  issuing  bank. 
Both  of  these  processes  precede  the  consumer  billing  and  collection 
phases  of  the  transaction. 

Information  may  be  used  or  disclosed  when  necessary  for  the 
transfer  of  receivables,  accounts,  or  interest  therein.  This  is  in- 
tended to  cover  the  range  of  activities  that  surround  the  sale  or 
transfer  of  receipts.  Information  also  may  be  used  or  disclosed 
when  necessary  for  the  audit  of  pa3niient  account  information;  for 
compliance  with  federal,  state,  or  local  laws  or  regulations;  or  for 
properly  authorized  civil,  criminal  or  regulatory  investigations  by 


'-♦z  Other  applicable  laws,  such  as  the  Fair  Credit  Reporting  Act,  continue  to  apply,  of  course. 
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federal,  state,  or  local  authorities.  Other  uses  or  disclosures  are 
prohibited. 

SECTION  5162.  ACCESS  TO  PROTECTED  HEALTH  INFORMATION  OUTSIDE 

THE  UNITED  STATES. 

The  protections  provided  by  the  Fair  Health  Information  Prac- 
tices Part  could  be  evaded  if  protected  health  information  could  be 
transferred  to  another  jurisdiction  where  the  information  will  not 
receive  similar  legal  protection.  There  is  growing  international  rec- 
ognition that  domestic  fair  information  practices  may  be  insuffi- 
cient when  personal  information  crosses  international  boundaries. 
For  example,  the  1981  Council  of  Europe  Convention  for  the  Pro- 
tection of  Individuals  With  Regard  to  Automatic  Processing  of  Per- 
sonal Data  includes  a  provision  that  permits  the  assessment  of  the 
equivalency  of  protection  for  personal  data  in  another  country,  i'*^ 
Also,  a  key  provision  of  the  draft  European  directive  concerning  the 
protection  of  individuals  in  relation  to  the  processing  of  automated 
data  restricts  the  ability  of  member  countries  to  send  data  to  other 
nations  where  data  protection  laws  are  insufficiently  protective.  1"*^ 

Professor  Joel  Reidenberg  of  Fordham  Law  School  has  written 
about  these  issues: 

Because  of  the  transnationalization  of  personal  informa- 
tion processing,  fair  information  practice  rules  often  con- 
sider the  international  implications  of  differing  standards. 
Transborder  data  flows  raise  legitimate  concerns  for  na- 
tional authorities  of  the  sufficiency  of  foreign  fair  informa- 
tion practice  rules.  Problems  may  arise  in  several  contexts: 
the  differing  levels  of  fair  information  practice  standards; 
the  uncertainty  of  applicable  law;  and  the  practical  prob- 
lems of  implementation.  The  French  fear  of  "data  havens," 
for  example,  is  reasonable  when  information  processing  for 
French  companies  may  be  structured  off-shore  to  avoid  fair 
information  practice  rules  in  France,  i'^^ 

In  general,  the  United  States  needs  to  be  more  aware  of  the  pos- 
sibility that  information  about  its  citizens  may  be  transferred  to 
other  countries.  With  the  intensive  use  of  computers  for  processing 
of  personal  information  and  the  growing  availability  of  a  global  in- 
formation superhighway,  transborder  data  flows  must  be  viewed  as 
potentially  troublesome.  Many  companies  in  the  business  of  proc- 
essing personal  data  are  multinational  and  may  be  able  to  main- 
tain data  in  the  country  that  offers  the  most  corporate  flexibility 
and  the  least  data  protection.  Protections  afforded  by  domestic  laws 
will  be  undermined  if  personal  data  is  maintained  in  other  coun- 
tries that  do  not  have  modem  fair  information  practices  or  that 
otherwise  serve  as  data  havens.  Data  protection  is  not  just  a  na- 
tional problem  anymore,  and  the  international  component  will  con- 


Council  of  Eiirope,  "Convention  for  the  Protection  of  Individuals  With  Regard  to  Automatic 
Processing  of  Personal  Data,"  Art.  12  (1981),  reprinted  in  "Data  Protection,  Computers,  and 
Changing  Information  Practices,"  Hearing  before  the  Subcomm.  on  Government  Information, 
Justice,  and  Agriculture,  House  Comm.  on  Government  Operations,  101st  Cong.,  2d  Sess.  (1990). 

'"♦^See  Commission  Proposal  for  a  Coimcil  Directive  Concerning  the  Protection  of  Individuals 
in  Relation  to  the  Processing  of  Personal  Data,  Eur.  Pari  Doc.  (COM  422  final-SYN  287)  (1992). 

'"♦s  Reidenberg,  'The  Privacy  Obstacle  Course:  Hiu-dUng  Barriers  to  Transnational  Financial 
Services,"  60  Fordham  Law  Review  S137  (1992)  (footnotes  omitted). 
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tinue  to  grow  in  significance  as  time  passes,  technology  advances, 
and  interconnectivity  increases.  The  need  for  better  coordination  of 
data  protection  poHcies  has  been  recognized  in  Europe,  and  the 
United  States  will  eventually  need  to  pay  attention  to  the  inter- 
national side  of  data  protection.  The  Fair  Health  Information  Prac- 
tices Part  takes  a  modest  first  step  in  that  direction. 

Section  5162  addresses  this  issue.  The  general  rule  is  that  a 
health  information  trustee  may  not  permit  any  person  who  is  not 
in  the  United  States  to  have  access  to  protected  health  information 
about  an  individual  except  in  specified  circumstances. First,  in- 
formation may  be  sent  overseas  if  the  individual  has  specifically 
consented  in  an  authorization  that  meets  the  requirements  of  the 
Part.  A  general  authorization  is  not  sufficient.  The  authorization 
must  specifically  mention  international  disclosure  and  meet  the 
other  standards  of  the  authorization  section.  When  an  individual 
seeks  health  care  overseas,  records  may  be  transferred  pursuant  to 
this  type  of  authorization.  If  a  company  transfers  an  employee 
overseas,  health  records  can  be  sent  with  the  consent  of  the  em- 
ployee. 

Second,  information  may  be  transferred  to  a  country  if  the  Sec- 
retary has  determined  that  there  are  fair  information  practices  for 
protected  health  information  in  that  country  that  provide  protec- 
tions for  the  subject  of  the  information  that  are  equivalent  to  the 
protections  in  the  Part.  Many  nations — and  some  local  jurisdic- 
tions— ^have  passed  comprehensive  data  protection  laws  that  are 
generally  equivalent  to  the  Fair  Health  Information  Practices  Part. 
Foreign  laws  do  not  have  to  be  identical  to  qualify  under  the  stand- 
ard. The  focus  is  on  the  scope  of  the  protections  and  the  remedies 
that  are  provided  for  individuals. 

These  protections  can  be  provided  in  a  variety  of  ways.  Even  if 
a  countiy  does  not  have  a  comprehensive  data  protection  law  or  a 
specific  health  care  fair  information  practices  law,  it  is  still  possible 
that  the  country  could  offer  equivalent  protections  to  indivdiuals. 
Consider,  for  example,  a  country  that  receives  protected  health  in- 
formation for  processing,  such  as  transcribing.  The  data  is  received, 
transcribed,  and  returned  to  the  United  States.  If  a  formal  legal 
enclave  for  protected  health  information  were  established,  with 
controls  that  prevent  the  data  from  being  used  in  any  way  while 
in  the  country,  and  if  the  data  were  not  retained  in  the  country  ex- 
cept for  a  brief  period,  the  Secretary  might  determine  that  the  sub- 
ject of  the  information  has  equivalent  protection  for  the  brief  period 
while  the  data  is  in  the  country. 

A  trustee  that  seeks  to  rely  on  the  "equivalent  protection"  section 
to  send  protected  health  information  to  another  country  must  ob- 
tain a  determination  from  the  Secretary  in  advance.  Notwithstand- 
ing a  positive  determination  from  the  Secretary,  transferring  pro- 
tected health  information  to  another  country  does  not  relieve  a 
trustee  of  any  responsibility  under  the  Part. 

Third,  protected  health  information  may  be  transferred  to  an- 
other country  if  provision  of  access  is  required  under  a  federal  stat- 


Providing  access  to  a  person  overseas  includes  actually  transferring  protected  health  infor- 
mation or  allowing  access  to  the  information  through  a  computer  terminal.  If  the  information 
is  accessible  through  a  terminal,  then  the  international  restrictions  are  fully  applicable. 


146 

ute,  treaty,  or  other  international  agreement  applicable  to  the 
United  States. 

There  are  four  other  conditions  under  which  the  restriction  on 
foreign  access  does  not  apply.  First,  protected  health  information 
may  be  disclosed  to  a  foreign  public  health  authority.  Public  health 
investigations  of  infectious  diseases  may  need  to  extend  beyond  na- 
tional borders.  Second,  disclosures  that  are  authorized  under  the 
emergency  section  or  under  the  health  research  section  are  per- 
mitted. Third,  disclosures  may  be  made  under  the  next  of  kin  sec- 
tion. There  is  no  reason  to  restrict  an  otherwise  authorized  disclo- 
sure because  the  next  of  kin  happens  to  be  in  another  country.  The 
same  is  true  for  directory  information  that  can  be  provided  to  any 
person.  The  location  of  the  recipient  is  not  relevant.  Finally,  a  dis- 
closure may  be  made  to  another  country  if  necessary  for  the  pur- 
pose of  providing  for  payment  for  health  care  provided  to  an  indi- 
vidual. The  Committee  envisions  that  this  exception  may  be  needed 
when  care  is  provided  in  the  United  States  to  a  foreign  national 
who  is  covered  by  a  national  or  private  health  plan.  Within  the 
United  States,  disclosures  for  payment  are  otherwise  authorized. 
This  language  does  not  authorize  an  American  insurer  to  maintain 
its  routine  payment  records  in  another  country  and  to  transfer  the 
data  to  that  country  on  the  grounds  that  the  transfer  is  necessary 
to  provide  for  payment. 

Some  federal  agencies — such  as  the  Department  of  Defense — 
maintain  health  care  facilities  and  health  care  records  abroad.  Pro- 
tected health  information  in  the  possession  of  a  federal  agency  re- 
mains fully  subject  to  the  Fair  Health  Information  Practices  Part 
wherever  the  records  are  located.  As  a  result,  the  limitations  on 
disclosure  to  other  countries  are  not  relevant  or  applicable  when 
protected  health  information  is  accessed  outside  the  United  States 
but  within  the  possession  and  control  of  a  federal  agency. 

SECTION  5163.  STANDARDS  FOR  ELECTRONIC  DOCUMENTS  AND 
COMMUNICATIONS 

The  Secretary  of  Health  and  Human  Services  is  required  to  es- 
tablish standards  for  the  creation,  transmission,  receipt,  and  main- 
tenance in  electronic  and  magnetic  form  of  each  type  of  written 
document  required  or  authorized  under  the  Fair  Health  Informa- 
tion Practices  Part.  This  authority  also  extends  to  standards  for 
electronic  signatures.  In  preparing  the  standards,  the  Secretary  is 
required  to  consult  with  interested  parties,  including  private  stand- 
ard-setting organizations  like  the  American  National  Standards  In- 
stitute. A^y  standards  promulgated  by  the  Secretary  should  be 
fully  compatible  with  comparable  standards  in  use  elsewhere. 

SECTION  5164.  DUTIES  AND  AUTHORITIES  OF  AFFILIATED  PERSONS 

Section  5164  defines  how  the  duties  and  authorities  of  a  health 
information  trustee  are  to  be  shared  with  affiliated  persons.  In  gen- 
eral, when  organizations  are  afRliated  persons  and  receive  pro- 
tected health  information  from  a  trustee,  they  may  use  or  disclose 
the  information  for  a  purpose  that  is  authorized  by  the  Fair  Health 
Information  Practices  Part,  for  a  purpose  that  the  trustee  would  be 
authorized  to  engage  in,  and  for  a  purpose  that  the  trustee  has  au- 
thorized the  £d[Hliated  person  to  engage  in.  This  means,  for  exam- 
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pie,  that  if  an  affiliated  person  receives  protected  health  informa- 
tion from  a  provider  for  benefit  claims  processing,  the  affiliate  can 
use  the  information  in  research  activities  authorized  by  the  pro- 
vider and  permitted  under  the  Part.  This  might  include  quality  im- 
provement, cost  containment,  outcomes  research  and  similar  activi- 
ties. The  affiliated  person  would  have  to  follow  the  same  proce- 
dures that  the  trustee  would  be  required  to  follow.  An  affiliated 
person  could  not  use  protected  health  information  for  purposes  re- 
lated to  employment,  credit,  marketing,  or  other  purposes  unre- 
lated to  health  care  delivery,  improvement,  and  payment. 

A  trustee  is  obligated  to  notify  its  affiliated  person  of  any  duties 
that  the  affiliated  person  is  required  to  fulfill  and  of  any  authori- 
ties that  the  affiliated  person  is  authorized  to  exercise.  This  notice 
defines  the  responsibilities  of  the  affiliated  person,  who  is  then  con- 
sidered to  be  a  health  information  trustee  for  purposes  of  the  Fair 
Health  Information  Practices  Part.  This  includes  the  enforcement 
provisions  of  the  Part.  An  agreement  with  an  affiliated  person  does 
not  relieve  a  health  information  trustee  of  its  duties  or  liabilities 
under  the  Part. 

SECTION  5165.  AGENTS  AND  ATTORNEYS 

Section  5165  addresses  the  needs  of  persons  who  are  not  able  to 
manage  their  own  affairs,  and  for  whom  decisions  are  being  made 
by  others.  Subsection  (a)  permits  those  acting  for  such  an  individ- 
ual under  State  law  to  exercise  the  rights  of  the  individual  under 
this  Act,  including  the  rights  of  access  and  correction,  and  author- 
ization to  disclose. 

These  designations  can  take  many  forms.  Individuals  may  exe- 
cute powers  of  attorney  under  the  provisions  of  State  law  for  such 
designations.  A  person  may  be  declared  incompetent  by  a  court, 
and  a  guardian  appointed.  In  some  States,  there  is  provision  for 
court  appointment  of  a  guardian  or  conservator,  without  a  declara- 
tion of  incompetence,  upon  the  application  of  either  the  individual 
or  of  others.  In  some  instances,  courts  may  tailor  the  powers  of  the 
conservator  or  guardian  to  the  particular  needs  of  the  individual. 
The  bill  authorizes  action  by  the  legal  representative  "to  the  extent 
authorized."  To  the  extent  that  the  legal  representative's  powers 
are  limited  with  respect  to  records  by  the  court  decree,  those  limi- 
tations would  have  to  be  observed. 

Subsection  (b)  explicitly  addresses  the  more  specialized  situation 
of  a  designation  by  an  individual  of  another  person  to  make  health 
care  decisions  in  case  of  incapacity.  Most  States  have  legislation 
providing  for  designations  by  individuals  of  others  to  make  health 
care  decisions  for  them  in  case  of  incapacity,  in  the  form  of  durable 
powers  of  attorney  for  health  care,  or  similar  instruments.  The  Na- 
tional Conference  of  Commissioners  on  Uniform  State  Laws  has 
promulgated  a  model  law  in  this  area,  the  Uniform  Health-Care 
Decisions  Act.*'^^  The  uniform  law  includes  a  provision  similar  to 
that  in  the  bill. 

Section  5165(c)  addresses  a  problem  that  arises  when  a  patient 
is  not  capable  of  exercising  rights  but  has  not  been  legally  adju- 
dicated as  incompetent  or  does  not  have  a  legal  representative  for- 


«47  9  Part  I  U.L.A.  93  (Supp.  1994). 
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mally  appointed.  For  these  individuals,  the  right  to  authorize  dis- 
closures under  section  5132  may  be  exercised  by  a  person  who 
holds  a  health  care  power  of  attorney.  If  no  qualified  person  can 
be  found  after  a  reasonable  effort,  then  the  right  may  be  exercised 
by  an  available  attorney  or  next  of  kin.  If  none  of  these  representa- 
tives can  be  located,  the  health  care  provider  is  the  person  of  last 
resort.  Anyone  exercising  the  rights  of  a  protected  individual  in 
this  manner  is  required  to  act  in  the  best  interest  of  the  individual. 

SECTION  5166.  MINORS 

Traditionally,  health  care  providers  have  looked  to  the  parents  or 
legal  guardians  of  a  minor  child  to  consent  to  health  care  on  the 
minor's  behalf  and  to  have  authority  over  the  minor's  protected 
health  information.  In  recent  years,  however,  state  legislatures  and 
the  courts  have  acted  to  protect  health  care  providers  from  liability 
for  treating  certain  minors  without  parental  consent.  This  trend 
has  resulted  from  the  recognition  that  many  minors  are  sufiiciently 
mature  to  make  informed  decisions  about  their  own  health  care 
and  that  some  young  people  would  be  deterred  from  obtaining 
needed  services  if  they  were  required  to  obtain  the  consent  of  a 
parent  in  all  instances. 

These  recent  changes  in  attitudes  toward  the  medical  care  of  mi- 
nors have  shaped  the  provisions  of  the  Fair  Health  Information 
Practices  Part  dealing  with  the  rights  of  minors.  Section  5166  pro- 
vides that  all  rights  of  patients  eighteen  years  of  age  and  older 
shall  be  exercised  by  the  patient.  For  a  patient  under  fourteen 
years  of  age,  all  rights  shall  be  exercised  through  the  parent  or 
legal  guardian  of  the  patient.  For  those  who  are  fourteen,  fifteen, 
sixteen  or  seventeen  years  of  age,  all  rights  may  be  exercised  either 
by  the  parent  or  by  the  patient.  For  example,  a  disclosure  of  medi- 
cal information  about  a  patient  who  is  fifteen  years  old  may  be 
made  with  the  approval  of  either  the  parent  or  the  child. 

Notwithstanding  these  rules,  when  a  child  of  any  age  has  the 
legal  capacity  to  apply  for  and  obtain  health  care  without  parental 
consent  and  has  sought  such  care,  the  child  shall  exercise  all  rights 
of  a  patient  with  respect  to  the  protected  health  information  relat- 
ing to  that  care.  This  provision  is  included  because  of  the  likelihood 
that  the  disclosure  of  confidential  medical  information  to  a  parent 
may  function  as  effectively  as  a  requirement  for  a  parental  consent 
which  may  deter  the  young  person  from  seeking  needed  health 
care.  Determinations  about  the  legal  capacity  of  a  minor  to  seek 
health  care  without  the  consent  of  the  parent  will  continue  to  be 
made  as  they  are  now.  For  example,  every  state  authorizes  emanci- 
pated minors  to  consent  to  health  care,  although  the  definition  of 
emancipation  varies  from  State  to  State.  Most  States  view  mar- 
riage or  economic  self-sufiiciency  as  de  facto  resulting  in  emanci- 
pation. Most  States  also  have  laws  on  the  books  permitting  young 
people  of  any  age  to  consent  to  care  for  sexually-transmitted  dis- 
eases, substa  ^e  abuse,  and  other  conditions. 

The  most  i  (ficult  decision  that  arises  in  connection  with  pro- 
tected health  iformation  of  minors  involves  disclosure  to  the  par- 
ent. The  perso  i  who  is  best  able  to  make  judgements  about  the  ad- 
visability of  such  disclosure  is  the  treating  physician  who  knows 
the  child,  the  parents  and  the  relationship  between  them.  Doctors 
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face  this  problem  routinely  today,  and  the  Fair  Health  Information 
Practices  Part  does  not  significantly  interfere  with  the  discretion 
that  the  doctor  exercises  today.  When  all  of  the  provisions  of  the 
bill  that  relate  to  inspection  of  protected  health  information  are 
considered  together  in  the  context  of  the  parent-child  relationship, 
the  result  is  that  the  treating  physician  has  considerable  discretion 
in  disclosing  or  denying  information  to  the  child  or  to  the  parent. 

SECTION  5167.  MAINTENANCE  OF  CERTAIN  PROTECTED  HEALTH 

INFORMATION 

Section  5167  requires  each  State  to  establish  a  process  under 
which  protected  health  information  maintained  by  health  care  pro- 
viders or  health  benefit  plan  sponsors  who  have  closed  will  be  se- 
cured. The  section  requires  that  the  information  be  delivered  to 
and  maintained  by  the  state  or  by  an  entity  designated  by  the 
State.  The  underlying  problem  is  that  there  are  not  always  clear 
rules  that  apply  to  providers  or  insurers  who  go  out  of  business. 
The  requirement  in  section  5167  is  very  general,  and  the  States 
may  address  the  p-roblem  as  they  see  fit.  States  with  existing  laws 
or  programs  may  already  be  in  compliance  with  the  requirement. 
Since  records  of  federal  health  care  facilities  are  subject  to  the  Fed- 
eral Records  Act  and  other  records  laws,  it  is  not  the  intent  of  this 
section  to  bring  these  facilities  within  the  jurisdiction  of  the  States. 

SECTION  5171.  CIVIL  ACTIONS 

Section  5171  permits  any  individual  whose  rights  have  been  vio- 
lated to  bring  an  action  tor  equitable  relief  or  for  damages.  The 
remedies  have  been  carefully  structured  to  provide  real  relief  for 
those  who  have  been  injured  as  a  result  of  a  violation  and  to  dis- 
courage frivolous  or  trivial  litigation. 

While  civil  actions  are  a  key  element  in  the  enforcement  of  fair 
information  practices,  they  are  not  a  total  answer.  The  history  of 
privacy  laws  suggests  that  individual  lawsuits  are  not  an  especially 
effective  enforcement  mechanism.  While  the  relief  provided  to  spe- 
cific aggrieved  individuals  is  essential  to  them,  lawsuits  are  expen- 
sive and  not  within  the  reach  of  everyone.  As  a  result,  individual 
enforcement  through  lawsuits  cannot  be  relied  upon  as  the  sole  en- 
forcement method.  In  order  to  help  fill  the  enforcement  gap, 
there  are  also  criminal  penalties  and  administrative  penalties. 
General  oversight  may  also  be  provided  by  the  Secretary  or  by 
other  institutions  (such  as  accreditation  and  licensing  authorities) 
that  oversee  the  health  care  system. 

Most  Western  countries  have  established  formal  government  au- 
thorities charged  with  oversight  of  fair  information  practices  laws. 
Professor  Paul  Schwartz  testified  about  some  of  the  benefits  of  a 
data  protection  authority  in  the  United  States: 

A  Data  Protection  Board  would  monitor  data  processing 
practices  and  compliance  with  laws,  draw  the  attention  of 
the  legislature  and  the  public  to  problems  of  existing  laws 


"•«It  is  also  a  feature  of  privacy  lawsuits  that  the  public  nature  of  litigation  will  necessarily 
result  in  more  widespread  dissemination  of  the  information  deemed  to  be  private.  A  plaintitT 
must  be  willing  to  accept  broader  disclosure  of  personal  data  as  a  necessary  condition  of  filing 
suit.  This  is  another  factor  that  deters  individuals  from  using  available  remedies  and  that  un- 
dermines the  effectiveness  of  private  Utigation  in  regulating  unwanted  conduct. 
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and  the  need  for  further  regulation,  assist  citizens  seeking 
to  protect  their  interests  and  exercise  their  rights,  and 
help  business  in  understanding  national  and  international 
legal  developments.  By  fulfilling  these  tasks,  the  data  pro- 
tection commission  would  help  to  ensure  that  public  ad- 
ministrative bodies,  the  legislature,  citizens  and  the  busi- 
ness community  remain  aware  and  active  as  the  conflicts 
generated  by  information  technology  change,  i'*^ 

Professor  Schwartz  also  suggested  that  a  data  protection  board 
would  be  able  to  represent  American  interests  and  assist  American 
companies  facing  scrutiny  by  foreign  data  privacy  authorities. 
There  does  not  appear  to  be  any  federal  agency  that  has  consist- 
ently carried  out  this  role.^^o  a  data  protection  agency  could  assist 
individuals  and  record  keepers  alike  in  implementing  and  coordi- 
nating fair  information  practices.  The  value  of  a  data  protection 
agency  extends  beyond  the  immediate  needs  of  the  health  care  sys- 
tem in  maintaining  fair  information  practices  or  in  implementing 
the  Fair  Health  Information  Practices  Part. 

For  civil  actions  authorized  under  the  Fair  Health  Information 
Practices  Part,  there  is  a  carefully  drawn  distinction  between  the 
remedies  that  are  available  to  an  aggrieved  individual.  Broader 
remedies  are  available  when  there  has  been  a  knowing  violation  of 
the  law.  In  the  case  of  a  knowing  violation,  the  aggrieved  individ- 
ual is  entitled  to  receive  a  minimum  damage  award  of  $5,000.  If 
actual  damages  are  higher,  then  the  individual  is  eligible  for  actual 
damages.  There  is  no  requirement  that  an  individual  demonstrate 
actual  pecuniary  loss  or  non-pecuniary  damage  in  order  to  be  eligi- 
ble for  the  $5,000  award.  In  addition,  in  the  case  of  a  knowing  vio- 
lation, the  individual  may  also  be  awarded  punitive  damages  and 
attorney's  fees. 

In  the  case  of  a  negligent  violation,  damages  are  limited  to  actual 
damages,  which  may  include  physical  and  mental  injury  and  pecu- 
niary losses.  More  limited  remedies  are  appropriate  when  mistakes 
are  accidental  and  not  intentional.  It  can  be  anticipated  that  in 
some  health  care  or  health  payment  settings,  accidental  disclosures 
may  occur  from  time  to  time.  Large  institutions  handling  vast 
quantities  of  data  will  make  occasional  errors  in  data  handling, 
and  errors  that  involve  computerized  records  could  affect  many  in- 
dividuals. It  is  not  the  intent  of  the  legislation  to  provide  windfall 
damages  to  those  who  are  not  actually  harmed  by  these  errors.  For 
example,  the  accidental  misrouting  of  a  computer  tape  containing 
patient  information  will  not  give  rise  to  individual  or  class  action 
lawsuits  unless  the  plaintiffs  can  demonstrate  actual  damages. 

Theoretical  or  incidental  disclosures  without  identifiable  harm  to 
specific  individuals  will  not  result  in  awards  in  cases  of  negligent 
violations.  However,  where  there  are  knowing  or  deliberate  viola- 
tions or  where  negligence  is  so  egregious  as  to  rise  to  the  level  of 
a  knowing  violation,  then  the  health  information  trustee  will  be  ex- 
posed to  greater  damages.  This  is  a  reasonable  balance  between  the 


'49"H.R.  4077  Hearings"  (May  4,  1994). 

'50  See,  e.g,  Gellman,  Fragmented,  Incomplete,  and  Discontinuous:  The  Failure  of  Federal  Pri- 
vacy Regulatory  Proposals  and  Institutions,^  VI  Software  Law  Journal  199,  209-212  (1993).  See 
also  Flaherty,  Protecting  Privacy  in  Surveillance  Societies  (1989). 
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need  to  provide  effective  remedies  and  the  need  to  avoid  costs  and 
unnecessary  litigation. 

One  type  of  improper  disclosure  that  gave  rise  to  considerable 
discussion  at  hearings  is  the  deliberate  leak  of  patient  information. 
Rep.  Nydia  Velazquez  testified  about  the  effects  on  her  and  her 
family  of  the  leak  of  very  sensitive  medical  information  during  the 
middle  of  an  election  campaign. i5i  This  chilling  example  of  a  delib- 
erate leak  has  occurred  to  others  in  politics,  show  business,  and 
pubhc  life  in  general.  A  deliberate  leak  of  health  records  is  action- 
able through  the  civil  remedies,  and  actual  and  punitive  damages 
are  available,  along  with  attorney  fees. 

Leaks  are  an  unfortunate  feature  of  modem  life,  and  computer- 
ized record  systems  with  multiple  access  points  can  only  exacerbate 
the  possibility  of  leaks.  ^^2  Every  system  of  records  that  contains 
valuable  or  newsworthy  information  may  become  the  source  of  un- 
authorized disclosures.  There  are  routine  leaks  from  government 
records  systems  containing  highly  sensitive  classified  information 
notwithstanding  intense  security  and  severe  criminal  penalties 
against  unauthorized  disclosure. 

If  the  source  of  a  leak  is  known,  but  the  identity  of  the  leaker 
is  not,  fixing  liability  can  be  difficult.  For  example,  where  a  hos- 
pital employee  leaks  a  patient  record,  it  may  be  clear  that  the  hos- 
pital was  the  source  of  the  record  although  it  may  be  impossible 
to  identify  the  employee  who  is  responsible.  While  it  is  the  intent 
that  a  health  information  trustee  should  be  held  responsible  for  its 
own  actions,  there  is  no  strict  liability  imposed  upon  trustees.  A 
trustee  is  not  an  absolute  guarantor  of  the  confidentiality  of 
records  that  it  maintains.  When  a  trustee  disregards  the  law  in  a 
negligent  or  knowing  manner,  the  trustee  can  be  found  liable  for 
improper  disclosures.  If  there  is  neither  negligence  nor  wilful  mis- 
conduct, then  there  is  no  liability. 

A  trustee  is  responsible  for  maintaining  reasonable  and  appro- 
priate administrative,  technical,  and  physical  safeguards.  The  secu- 
rity requirement  is  not  an  absolute  one.  No  one  can  be  held  to  a 
standard  that  requires  absolute  security.  If  a  trustee  can  dem- 
onstrate that  it  has  established  appropriate  safeguards,  including 
training  about  fair  information  practices  for  employees  and  ade- 
quate supervision  of  employees  and  record  systems,  the  trustee  has 
a  defense  to  an  action  for  an  improper  disclosure.  The  individual 
who  actually  leaked  the  record  may  be  found  criminally  or  civilly 
liable  for  his  or  her  conduct. 

SECTION  5172.  CIVIL  MONEY  PENALTIES 

If  the  Secretary  of  Health  and  Human  Services  determines  that 
a  health  information  trustee  has  demonstrated  a  pattern  or  prac- 
tice of  failure  to  comply  with  the  provisions  of  the  Fair  Health  In- 
formation Practices  Part,  the  Secretary  may  impose  a  civil  money 


'5'"H.R.  4077  Hearings"  (April  20,  1994). 

'52  A  computerized  health  record  system  that  permits  access  to  records  from  anywhere  in  the 
country  when  emergency  care  is  needed  far  from  home  is  also  likely  to  permit  unauthorized  ac- 
cess under  other,  less  beneficial  circumstances.  There  is  a  clear  tradeoff  between  benefit  and 
harm  that  can  result  from  computerization  and  centralization  of  health  information.  This  is  one 
reason  why  computerized  audit  trails  are  important  elements  in  any  computerized  health  sys- 
tem. Audit  trails  can  be  effective  in  identifying  users  of  data,  deterring  improper  uses,  and  pin- 
ning responsibility  on  culpable  individuals. 
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penalty  of  not  more  than  $10,000  for  each  failure.  This  section  is 
intended  to  provide  means  of  enforcement  that  does  not  involve 
criminal  penalties  and  that  does  not  require  a  lawsuit  by  protected 
individuals.  The  Secretary  will  be  able  to  encourage  enforcement, 
especially  of  those  provisions  that  may  not  be  a  likely  subject  of 
lawsuits.  An  example  is  the  section  that  requires  trustees  to  main- 
tain adequate  security.  If  the  Secretary  finds  a  general  failure  to 
provide  security,  the  civil  money  penalty  will  offer  a  effective 
means  of  requiring  compliance. 

SECTION  5173.  ALTERNATIVE  DISPUTE  RESOLUTION 

Section  5173  requires  the  Secretary  of  Health  and  Human  Serv- 
ices to  develop  alternative  dispute  resolution  methods  for  use  by  in- 
dividual, health  information  trustees,  and  other  persons  in  resolv- 
ing claims.  The  goal  is  to  provide  a  more  accessible  and  less  expen- 
sive remedy.  For  many  individuals,  bringing  a  lawsuit  seeking  en- 
forcement of  privacy  rights  or  damages  for  breach  of  privacy  rights 
is  too  expensive  or  too  complex.  Disputes  over  access  to  information 
or  amendment  of  information  are  likely  only  occasionally  to  war- 
rant formal  lawsuits.  Patients  and  providers  are  likely  to  be  better 
served  through  other  dispute  resolution  mechanisms  such  as  arbi- 
tration, mediation,  and  other  forms  of  negotiation.  The  Secretary 
has  broad  authority  to  develop  these  mechanisms.  The  Committee 
encourages  the  use  of  alternative  dispute  resolution  mechanisms 
developed  and  implemented  elsewhere. 

SECTION  5174.  AMENDMENTS  TO  CRIMINAL  LAW 

Section  5174  amends  title  18  of  United  States  Code  by  adding  a 
new  chapter  defining  crimes  that  involve  the  use  and  disclosure  of 
protected  health  information.  The  general  philosophy  of  the  crimi- 
nal penalties  is  that  basic  violations  are  class  D  felonies  subject  to 
a  punishment  of  five  years  in  prison  and  a  fine  of  up  to  $250,000 
for  individuals  and  $500,000  for  organizations.  Violations  that  in- 
volve the  use  or  disclosure  of  protected  health  information  for  mon- 
etary gain  are  class  C  felonies  subject  to  a  punishment  of  ten  years 
in  prison  and  similar  fines.  Activities  that  violate  the  law  include 
requesting  or  obtaining  protected  health  information  under  false 
pretenses  from  a  health  information  trustee;  knowingly  obtaining 
protected  health  information  from  a  health  information  trustee; 
knowingly  obtaining  protected  health  information  from  a  health  in- 
formation trustee  with  the  intent  to  sell,  transfer,  or  use  the  infor- 
mation for  profit  or  monetary  gain;  knowingly  selling,  transferring, 
or  using  protected  health  information  for  profit  or  monetary  gain; 
knowingly  using  or  disclosing  protected  health  information;  and 
knowingly  selling,  transferring,  or  using  protected  health  informa- 
tion. 

SECTION  5181.  AMENDMENTS  TO  TITLE  5,  UNITED  STATES  CODE 

Protected  health  information  currently  maintained  by  federal 
agencies  is  subject  to  the  Privacy  Act  of  1974.153  The  rules  set  out 
in  the  Privacy  Act  are  more  general  and  not  as  rigorous  as  the  pro- 
visions of  the  Fair  Health  IrJormation  Practices  Part.  Section  5181 


'53  5U.S.C.  §552a  (1988). 
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generally  provides  for  exempting  protected  health  information  sub- 
ject to  the  Fair  Health  Information  Practices  Part  from  most  provi- 
sions of  the  Privacy  Act.  This  is  accomplished  by  requiring  the 
head  of  each  agency  to  promulgate  regulations  to  exempt  systems 
of  records  from  the  Privacy  Act  in  so  far  as  the  systems  contain 
protected  health  information.  This  approach  has  been  selected  so 
that  the  agencies  will  be  able  to  review  systems  of  records  and  de- 
termine which  have  protected  health  information.  The  Privacy  Act 
has  traditionally  operated  with  limited  exemptions  for  narrow  cat- 
egories of  records,  and  this  method  will  work  well  here.  By  requir- 
ing agencies  to  spell  out  the  scope  of  the  exemptions,  it  will  be 
clear  which  records  are  subject  to  which  law. 

Protected  health  information  in  the  possession  of  federal  agencies 
is  not  totally  exempt  from  the  Privacy  Act.  For  example,  there  is 
no  reason  to  exempt  these  records  from  the  Privacy  Act's  publica- 
tion requirement.  The  published  description  of  agency  systems  of 
records  is  a  valuable  public  resource  as  well  as  a  useful  way  for 
agencies  to  keep  track  of  their  activities  involving  personal  infor- 
mation. Section  5181  is  selective  in  the  provisions  of  the  Privacy 
Act  from  which  protected  health  information  may  be  exempted. 
None  of  the  provisions  of  the  Privacy  Act  that  remain  applicable 
conflicts  with  the  requirements  of  the  Fair  Health  Information 
Practices  Part.i54 

SECTION  5191.  REGULATIONS;  RESEARCH  AND  EDUCATION 

Section  5191(a)  directs  the  Secretary  of  Health  and  Human  Serv- 
ices to  prescribe  regulations  to  carry  out  the  Fair  Health  Informa- 
tion Practices  Part  by  July  1,  1996.  Section  5191(b)  authorizes  the 
Secretary  to  sponsor  research  on  privacy  and  to  develop  related 
forms  and  technology.  Section  5191(c)  authorizes  the  Secretary  to 
establish  education  and  awareness  programs. 

SECTION  5192.  EFFECTIVE  DATES 

Section  5192  establishes  the  effective  dates  for  the  Fair  Health 
Information  Practices  Part.  The  basic  provisions  will  take  effect  on 
January  1,  1997. 

SECTION  5193.  APPLICABILITY 

This  section  provides  transition  rules  that  apply  to  protected 
health  information  and  to  patient  authorizations  in  existence  on 
the  effective  date. 

SECTION  5194.  RELATIONSHIP  TO  OTHER  LAWS 

The  general  policy  in  section  5194  is  that  most  provisions  of  the 
Fair  Health  Information  Practices  Part  are  preemptive,  and  that 
State  laws  that  are  inconsistent  or  that  impose  additional  require- 
I  ment  with  respect  to  duties  of  health  information  trustees  under 


i  '54The  Freedom  of  Information  Act,  5  U.S.C.  §552  (1988),  provides  a  mechanism  that  permits 
any  person  to  request  a  copy  of  any  federal  record.  Under  the  FOIA's  pnvacy  exemption,  medical 
records  have  always  been  recognized  as  exempt.  The  passage  of  the  Pnvacy  Act  of  1974  only 
reinforced  the  confidentiality  of  federal  health  records.  In  case  there  is  any  doubt,  it  is  the  intent 

I  of  the  Committee  that  the  Fair  Health  Information  Practices  Part  is  a  statute  within  the  mean- 
ing of  the  third  exemption  of  the  FOIA.  The  legal  effect  is  to  prevent  the  disclosure  of  protected 
health  information  by  a  federal  agency  under  the  FOIA. 
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subpart  A,  authority  to  disclose  under  subpart  B,  access  procedures 
and  challenge  rights  under  subpart  C,  miscellaneous  provisions 
under  subpart  D,  or  enforcement  under  subpart  E. 

A  principal  exception  to  the  preemption  policy  is  found  in  section 
5194(b).  A  state  law  regarding  public  health  or  mental  health  that 
prohibits  or  regulates  a  disclosure  of  protected  health  information 
is  not  superseded  by  the  Fair  Health  Information  Practices  Part. 
In  essence,  any  stricter  state  disclosure  law  remains  valid  in  so  far 
as  it  applies  to  public  health  or  mental  health  records. 

Section  5194(c)  expressly  provides  that  States  may  establish  and 
enforce  criminal  penalties  with  respect  to  a  failure  to  comply  with 
a  provision  of  the  Fair  Health  Information  Practices  Part.  States 
are  encouraged  to  undertake  enforcement  of  the  provisions  of  the 
Part. 

Section  5194(d)  preserves  any  privileges — such  as  the  physician 
patient  privilege — that  may  exist  at  the  state  or  federal  level.  The 
policy  is  that  disclosures  of  protected  health  information — such  as 
to  insurers,  for  treatment,  or  for  oversight — should  not  be  treated 
as  interfering  with  these  existing  privileges.  Similarly,  if  a  patient 
authorizes  disclosure  of  protected  health  information  for  the  pur- 
pose of  receiving  or  paying  for  health  care,  that  act  does  not  waive 
any  existing  privilege 

Section  5194(e)  provides  a  special  use  and  disclosure  rule  for  the 
Department  of  Veterans  Affairs.  Health  care  and  other  benefit  pro- 
grams operated  by  the  Department  are  intertwined,  and  the  limita- 
tions in  the  Part  would  result  in  significant  and  unnecessary  dis- 
ruption. This  provision  allows  for  exchange  of  protected  health  in- 
formation within  the  Department  in  connection  with  benefit  pro- 
grams. 

Section  5194(f)  makes  it  clear  that  the  Fair  Health  Information 
Practices  Part  does  not  preempt,  supersede,  or  modify — 

(1)  any  law  that  provides  for  the  reporting  of  vital  statistics 
such  as  birth  or  death  information; 

(2)  any  law  requiring  the  reporting  of  abuse  or  neglect  infor- 
mation about  any  individual,  including  but  not  limited  to  child 
abuse  information; 

(3)  subpart  II  of  part  E  of  title  XXVI  of  the  Public  Health 
Service  Act  relating  to  notification  of  emergency  response  em- 
ployees of  possible  exposure  to  infectious  disease; 

(4)  the  Americans  with  Disabilities  Act  of  1990;  and 

(5)  any  federal  or  state  statute  that  establishes  a  privilege 
for  records  used  in  health  professional  peer  review  activities. 

This  list  of  unaffected  statutes  is  intended  to  remove  any  doubt 
about  the  effects  of  the  Fair  Health  Information  Practices  Part  on 
existing  laws.  The  list  should  not  be  read  to  suggest  that  statutes 
not  included  are  automatically  either  superseded  or  are  not  super- 
seded. The  effect  on  other  laws  should  be  evaluated  on  a  case  by 
case  basis. 

For  example,  some  information  covered  by  this  bill  will  continue 
to  be  covered  by  other  Federal  confidentiality  statutes,  and  this  bill 
is  not  intended  to  modify  those  statutes.  If  a  hospital  discloses  in- 
formation to  the  National  Center  for  Health  Statistics  for  research 
purposes  under  the  procedures  in  section  5136,  NCHS  is  con- 
strained both  by  the  use  and  redisclosure  provisions  in  subsection 
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(c)  as  well  as  by  the  Center's  own  confidentiality  statute,  section 
308(d)  of  the  Public  Health  Service  Act.^ss  The  bill's  restrictions 
and  restrictions  under  section  903(c)  of  the  Public  Health  Service 
Act  would  both  apply  if  the  information  is  disclosed  to  the  Agen- 
cy for  Health  Care  Policy  and  Research  or  its  grantees.  Likewise, 
identifiable  information  received  from  a  health  information  service 
organization  by  a  health  researcher  who  has  protection  for  the 
identity  of  research  subjects  under  section  301(d)  of  the  Public 
Health  Service  Act,i57  jg  protected  both  by  section  301(d)  and  by 
the  restrictions  in  this  bill. 

Subsection  5194(f)  addresses  the  effect  of  the  Fair  Health  Infor- 
mation Practices  Part  on  existing  federal  drug  and  alcohol  laws. 
There  are  many  areas  in  which  the  drug  and  alcohol  laws  offer  pro- 
tections that  go  beyond  the  provisions  of  the  Fair  Health  Informa- 
tion Practices  Part  and  the  needs  of  other  medical  consumers  in 
order  to  meet  the  special  needs  of  patients  of  alcohol  and  drug 
treatment  facilities.  At  the  same  time,  there  are  some  provisions  in 
the  Fair  Health  Information  Practices  Part  that  offer  stronger  pro- 
tections. 

Examples  of  provisions  from  the  alcohol  and  drug  abuse  regula- 
tions that  are  more  reflective  of  the  needs  of  specif  needs  are  the 
patient  consent  requirements.  As  the  Legal  Action  Center  pointed 
out,  the  uses  of  consent  forms  in  alcohol  and  drug  abuse  pro- 
gram settings  are  different  from  other  medical  settings  in  ways 
that  allow  them  to  be  more  successful.  Alcohol  and  drug  abuse 
treatment  programs  and  their  clients  are  linked  in  common  cause 
to  protect  privacy  so  that  clients  feel  it  is  safe  to  obtain  treatment. 
The  consent  forms  required  by  the  regulations  ^  59  are  much  more 
specific  than  the  normal  medical  release  form.  It  is  apparent  that 
the  different  approach  to  patient  consent  in  the  Fair  Health  Infor- 
mation Practices  Part  will  not  work  in  the  alcohol  and  drug  treat- 
ment context.  Similarly,  the  next  of  kin  disclosure  rules  in  the  Fair 
Health  Information  Practices  Part  are  not  appropriate  for  the  spe- 
cial needs  of  alcohol  and  drug  abuse  treatment. 

Another  area  in  which  the  alcohol  and  drug  abuse  rules  clearly 
offer  stronger  protection  is  in  the  area  of  law  enforcement  and 
criminal  justice.  Law  enforcement  inquiries  are  much  more  sharply 
regulated  as  are  rules  about  responding  to  subpoenas  and  search 
warrants.  While  these  stricter  rules  may  not  be  needed  in  other 
medical  treatment  settings,  they  are  clearly  appropriate  for  alcohol 
and  drug  abuse  treatment. 

The  Fair  Health  Information  Practices  Part  does  improve  upon 
the  alcohol  and  drug  abuse  rules  in  several  ways.  Duty  to  warn  dis- 
closures are  defined  more  clearly  under  section  5137  than  under 
the  alcohol  and  drug  abuse  rules.  Also,  the  civil  and  criminal  sanc- 
tions for  breach  of  the  Fair  Health  Information  Practices  Part  are 
stronger. 


'55  42  U.S.C.A.  242m(d)  (West  Supp.  1994). 
'56  42  U.S.C.A.  299a-l  (West  Supp.  1994). 
'57  42  U.S.C.A.  241  (West  Supp.  1994). 

'58  See  testimony  Susan  Jacobs,  Staff  Attorney,  Legal  Action  Center,  in  H.R.  4077  Hearings 
1  (May  5,  1994).  The  Legal  Action  Center  specializes  in  policy  and  legal  issues  in  the  intersecting 
I   areas  of  drug  and  alcohol  abuse  and  AIDS. 

'59  42  C.F.R.  Part  2  (1993). 
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In  order  to  meld  the  Fair  Health  Information  Practices  Part  with 
the  existing  drug  and  alcohol  rules,  section  5i94(g)  provides  that 
no  provision  of  the  Part  preempts,  supersedes,  or  modifies  the  oper- 
ation of  section  543  of  the  Public  Health  Service  Act  except  to  the 
extent  that  the  Secretary  of  Health  and  Human  Services  deter- 
mines through  regulations  that  the  Fair  Health  Information  Prac- 
tices Part  provides  greater  protection  for  protected  health  informa- 
tion and  for  the  rights  of  protected  individuals  than  is  provided 
under  that  section.  There  is  a  similar  provision  that  gives  the  Sec- 
retary of  Veterans  Affairs  the  same  authority  with  respect  to  38 
U.S.C.  §  7332.  The  result  intended  by  the  Committee  is  to  provide 
alcohol  and  drug  abuse  records  with  the  strongest  protections  for 
protected  health  information  and  for  protected  individuals  that  can 
be  found  in  either  law. 

Report  on  Section  5401  of  Title  V 

PURPOSE  AND  SUMMARY 

The  purpose  of  this  amendment  is  to  prevent  and  detect  fraud 
and  abuse  in  the  provision  of  health  care. 

The  amendment  provides  for  improved  coordination — including 
the  sharing  of  data — ^both  among  Federal  law  enforcement  agencies 
and  between  the  Federal  agencies  and  the  State  agencies  enforcing 
the  Federal  health  fraud  and  abuse  provisions.  The  amendment 
also  provides  a  new  source  of  funds  for  these  Federal  and  State  law 
enforcement  agencies:  a  special  fund  comprised  of  fines,  penalties, 
damages,  and  proceeds  from  forfeitures  collected  from  those  who 
violate  Federal  health  fraud  and  abuse  provisions.  This  special 
fund  can  be  used  by  Federal  and  State  law  enforcement  agencies 
to  supplement  regularly  appropriated  funds  in  combatting  health 
care  fraud  and  abuse. 

BACKGROUND  AND  NEED  FOR  LEGISLATION 

A.  Introduction 

The  Committee  finds  that  fraud,  waste,  and  abuse  are  flourish- 
ing in  the  nation's  health  care  industry.  This  fraud,  waste,  and 
abuse  has  serious  consequences.  The  American  Medical  Associa- 
tion, for  example,  testified  "The  fraudulent  and  abusive  schemes 
that,  unfortunately,  have  become  so  prevalent  in  our  health  care 
system  often  lead  to  the  rendering  of  medically  unethical  or  poten- 
tially harmful  testing,  as  well  as  inaccurate,  misleading,  and  false 
diagnoses.  As  a  consequence,  such  practices  undermine  health  care 
delivery  and  have  future  patient  and  societal  ramifications  by  gen- 
erating unnecessary  fear,  jeopardizing  the  ability  to  obtain  univer- 
sal health  care  coverage  in  the  future,  and  increasing  the  already 
high  cost  of  health  care." 

The  Committee  concludes  that  necessary  improvements  in  com- 
batting health  care  fraud  and  abuse  include  better  coordination  of 
Federal  and  State  law  enforcement  efforts,  more  resources  devoted 
to  Federal  and  State  law  enforcement,  and  enhancement  of  the  na- 
tion's current  health  information  system. 
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B.  Scope  of  health  care  fraud  and  abuse 

Witnesses  testified  that  fi'aud,  waste,  and  abuse  constitute  be- 
tween three  and  ten  percent  of  current  expenditures  on  health  care 
in  the  United  States.  This  would  mean  that  the  annual  cost  of 
health  care  fraud,  waste,  and  abuse  is  between  $30  billion  and 
$100  biUion. 

Some  health  care  fraud  is  national.  For  example,  in  June  1994 
National  Medical  Enterprises,  Inc.  ("NME")  agreed  with  the  De- 
partment of  Justice  ("DOJ")  to  pay  $379  million  in  criminal  fines, 
civil  damages,  and  penalties  to  the  Federal  government  and  several 
States  for  kickbacks  and  fraud  at  NME  psychiatric  and  substance 
abuse  hospitals  in  more  than  30  states.  As  another  example,  Na- 
tional Health  Laboratories,  Inc.  (**NHL"),  one  of  the  nation's  largest 
clinical  laboratories,  agreed  with  the  DOJ  in  December  1992  to  pay 
$110.5  million  to  settle  claims  that  it  had  over-charged  Medicare 
and  33  State  Medicaid  programs  for  certain  laboratory  blood  tests. 

Other  health  care  fraud  is  local,  involving,  for  example,  false  bills 
submitted  by  a  single  chiropractor,  dentist,  durable  medical  equip- 
ment firm,  hospital,  nursing  home,  pharmacist,  physician,  podia- 
trist, or  transportation  company. 

C.  Types  of  health  care  fraud  and  abuse 

The  Committee  finds  that  the  nature  of  health  care  fraud  and 
abuse  are  generally  different  for  "fee-for-service"  and  "prepaid" 
health  care  providers.  According  to  the  General  Accounting  Office 
("GAO"),  in  a  fee-for-service  health  system  fraud  and  abuse  include 
overcharging  payers  for  services  provided,  charging  for  services  not 
rendered,  accepting  bribes  or  kickbacks  for  referring  patients,  and 
rendering  unnecessary  services.  In  contrast,  fraudulent  or  abusive 
practices  found  among  prepaid  health  plans  involve  avoiding  ex- 
pensive treatments,  underfinancing  health  plan  operations,  dis- 
regarding member  complaints,  providing  poor-quality  care,  and 
using  deceptive  marketing  practices. 

D.  Current  efforts  at  preventing  health  care  fraud  and  abuse 

1.  Activities  of  Major  Federal  Agencies 

Three  Federal  agencies — ^which  in  fiscal  year  1993  spent  about 
$257  billion  on  health  care — now  investigate  fraud,  waste,  and 
abuse  in  the  health  care  programs  for  which  they  are  responsible. 
The  Inspector  General  of  the  Department  of  Health  and  Human 
Services  ("HHS")  investigates  fraud  and  abuse  in  three  programs: 
the  Medicare  program  (which  last  year  spent  about  $145  billion  to 
cover  about  35  million  people),  the  Medicaid  program  (which  last 
year  spent  about  $81  billion  in  Federal  funds  to  cover  about  24  mil- 
lion people),  and  the  Indian  Health  Service  (which  last  year  spent 
I  about  $2  billion  to  cover  about  one  million  people).  The  Inspector 
'  General  of  the  Department  of  Defense  ("DOD")  investigates  fraud 
i  and  abuse  in  the  Civilian  Health  and  Medical  Program  of  the  Uni- 
i  form  Services  ("CHAMPUS")  (which  last  year  spent  about  $5  bil- 
I  lion  to  cover  about  seven  million  persons)  and  medical  care  for  mili- 
I  tary  personnel  (which  last  year  spent  about  $9  billion  to  cover 
I  about  2  million  persons).  The  Inspector  General  of  the  Department 
of  Veterans  Affairs  ("VA")  investigates  fraud  and  abuse  in  the  VA's 


158  I 

health  system  (which  last  year  spent  about  $15  billion  to  cover 
about  three  million  persons). 

The  Inspector  General  of  the  Department  of  Labor  ("DOL")  inves- 
tigates bogus  companies  that  purport  to  sell  health  insurance  to 
unions  and  small  companies. 

Each  of  these  four  Inspectors  General  conducts  his  or  her  inves-  i 
tigations  under  both  the  Inspector  Greneral  Act  of  1978,  5  USC  App.  i 
3,  and  the  Program  Fraud  Civil  Remedies  Act  of  1986,  31  USC  sec.  \ 
3801  et  seq.  ' 

The  HHS  Inspector  General  has  additional  powers,  under  specific 
Medicare  and  Medicaid  legislation,  to  bring  an  administrative  ac- 
tion to  exclude  health  care  providers  and  to  impose  civil  monetary 
penalties.  42  USC  sec.  1320a-7  and  1395dd.  For  example,  during  i 
the  six  month  period  April  1,  1993  to  September  30,  1993  the  HHS  I 
Inspector  General  excluded  over  500  individuals  and  entities  and  ' 
recouped  about  $123  million  because  of  illegitimate  Medicare  and  i 
Medicaid  claims.  The  Committee  is  concerned  that  frequently  the  1 
Federal  government  merely  imposes  monetary  penalties  rather  ' 
than  requiring  incarceration  of  those  who  have  defrauded  the  Fed-  I 
eral  health  care  system. 

In  addition  to  the  Inspectors  Greneral,  the  Department  of  Justice 
both  investigates  (using  the  Federal  Bureau  of  Investigation)  and 
prosecutes  criminal  and  civil  cases  in  the  area  of  health  care  fraud 
and  abuse. 

2.  State  and  private  activities 

State  governments  are  also  concerned  about  fraud  and  abuse  in 
health  care.  State  governments  investigate  and  prosecute  fraud 
and  abuse  in  the  Medicaid  system  (on  which  States  spent  about 
$60  billion  in  fiscal  year  1993);  the  Federal  government  pays  75  to 
90  percent  of  the  costs  the  State  Medicaid  Fraud  Control  Units.  I 
State  insurance  commissioners  investigate  health  insurance  fraud 
and  abuse.  i 

Private  insurance  companies  and  companies  that  self-insure  j 
health  care  may  also  investigate  fraud  and  abuse  in  the  health  care  | 
system.  Their  efforts  are  hampered,  however,  according  to  GAO,  j 
because  of  legal  problems  in  sharing  information  and  a  lack  of  ef- 
fective legal  remedies.  j 

3.  Federal  resources  now  devoted  to  combatting  health  care  \ 

fraud  and  abuse 

To  prevent  health  care  fraud  and  abuse  the  Federal  government  i 
is  spending  only  about  one  tenth  of  one  percent  of  what  it  spends  | 
on  health  care.  Most  of  the  approximate  $300  million  spent  by  the  | 
Federal  government  to  combat  health  care  fraud  and  abuse  is  spent 
by  HHS,  which  in  fiscal  year  1993  spent  about  $243  million,  includ- 
ing about  $40  million  in  the  HHS  Inspector  General's  office,  about  i 
$58  million  to  partially  finance  State  Medicaid  Fraud  Control  ' 
Units,  and  about  $145  million  paid  to  40  private  companies  that 
process  Medicare  claims  to  help  detect  both  medically  unnecessary 
treatment  and  fraudulent  claims.  The  VA  Inspector  General  spends 
about  $9  million  on  health  care  fraud  and  abuse;  the  DOD  Inspec- 
tor Greneral  spends  about  $6  million,  and  the  Department  of  Labor 
Inspector  General  spends  about  $3  million.  The  Federal  Bureau  of 


159 


Investigation  is  spending  about  $20-30  million  a  year  investigating 
health  care  fraud. 

The  Federal  government  recovers  more  in  health  fraud  cases 
than  it  spends  investigating  them.  In  fiscal  year  1993  the  Depart- 
ment of  Justice,  HHS  Inspector  General,  DOD  Inspector  General, 
I  and  VA  Inspector  General  together  recovered  about  $438  million  in 
I  fraudulent  payments  in  Federal  health  programs,  as  compared  to 
i  less  than  $100  millon  spent  by  them  in  combatting  health  care 
I  fraud. 

I      However,  in  recent  years  there  has  been  no  significant  increase 
]   in  the  amount  of  Federal  resources  devoted  to  combatting  health 
care  fraud  and  abuse.  GAO  testified  that  "public  funding  for  health 
j   care  enforcement  activities  has  not  keep  pace  with  the  growth  in 
j   health  care  expenditures.  For  example,  the  number  of  HHS  Inspec- 
j    tor  General  investigators  has  actually  declined  over  the  past  5 
years,  although  the  Inspector  General's  statutory  responsibilities 
and  the  size  and  complexity  of  the  federal  programs  that  the  In- 
j    spector  Greneral  investigates  have  increased  significantly." 

j  HEARINGS 

I  The  Subcommittee  on  Human  Resources  and  Intergovernmental 
;|   Relations  held  two  oversight  hearings  in  this  Congress  on  health 

care  fraud  and  abuse, 
j      On  August  2,  1993  the  Subcommittee  held  an  oversight  hearing 
on  prescription  drug  diversion  in  the  Medicaid  program.  The  wit- 
nesses at  this  hearing  were:  the  Honorable  Charles  B.  Rangel;  Les- 
lie Aronovitz,  Associate  Director,  Health  Financing  Issues,  General 
I   Accounting  Office;  Shirah  Neiman,  Deputy  United  States  Attorney, 
Southern  District  of  New  York;  Thomas  F.  Staffa,  Chief  of  the 
j   Criminal  Division,  Office  of  the  New  York  State  Special  Prosecutor 
for  Medicaid  Fraud  Control;  and  Beth  Taylor,  Director  Texas  Med- 
icaid Fraud  Control  Unit,  Office  of  the  Attorney  General. 

On  February  25,  1994  the  Subcommittee  held  an  oversight  hear- 
ing on  Medicaid  fraud  in  Florida.  The  witnesses  at  this  hearing 
were:  Leslie  G.  Aronovitz,  Associate  Director,  Human  Resources  Di- 
vision, General  Accounting  Office;  Rufus  D.  Noble,  Inspector  Gen- 
eral, Florida  Agency  for  Health  Care  Administration;  John  Morris, 
I  Director,  Florida  Medicaid  Fraud  Control  Unit;  Yaakov  "Jack" 
Kronfeld,  President,  Genesis  Health  Care;  Robert  Palenzuela,  Chief 
Operating  OfRcer  and  General  Counsel,  Community  Medical  Plan, 
Inc.;  and  Marshall  Kelley,  Director  of  Medicaid,  Florida  Agency  for 
Health  Administration. 

On  March  17,  1994  the  Subcommittee  on  Legislation  and  Na- 
tional Security  and  the  Subcommittee  on  Human  Resources  and 
Intergovernmental  Relations  held  a  joint  legislative  hearing  on  the 
!   fraud  and  abuse  provisions  in  H.R.  3600.  The  witnesses  at  this 
I   hearing  were:  Leslie  G.  Aronovitz,  Associate  Director,  Health  Fi- 
i   nancing.  General  Accounting  Office;  the  Honorable  Derek  J. 
I   Vander  Schaaf,  Deputy  Inspector  General  of  the  Department  of  De- 
i   fense;  the  Honorable  June  Gibbs  Brown,  Inspector  General  of  the 
I   Department  of  Health  and  Human  Resources;  the  Honorable 
!    Charles  C.  Masten,  Inspector  General  of  the  Department  of  Labor; 
!   the  Honorable  Stephen  A.  Trodden,  Inspector  General  of  the  De- 
partment of  Veterans  Affairs,  Gerald  M.  Stem,  Special  Counsel  for 
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Financial  Institution  Fraud,  Department  of  Justice;  William  W. 
Whatley,  Jr.,  Alabama  Deputy  Attorney  Greneral,  President,  Na- 
tional Association  of  Medicaid  Fraud  Control  Units;  David  J. 
Lyons,  Iowa  Commissioner  of  Insurance,  Vice  President,  National 
Association  of  Insurance  Commissioners;  William  J.  Mahon,  Execu- 
tive Director,  National  Health  Care  Anti-Fraud  Association;  and 
Dr.  Jerald  R.  Schenken,  Member,  Board  of  Trustees,  American^ 
Medical  Association. 

COMMITTEE  CONSIDERATION 

On  July  27,  1994  the  Subcommittee  on  Human  Resources  and 
Intergovernmental  Relations,  a  quorum  being  present,  approved  by 
voice  vote  an  amendment  offered  by  Mr.  Towns  and  Mr.  Schiff  to 
section  5401.  Mr.  Schiff  then  offered  an  amendment  providing  that 
in  the  case  of  a  Federal  health  care  offense,  the  attorney  for  the 
government  may  not,  in  exchange  for  payment  by  a  defendant  of 
any  monetary  amount,  reduce  the  exposure  of  the  defendant  to  a 
term  of  imprisonment  by  moving  for  dismissal  or  reduction  of 
charges.  Mr.  Towns,  while  indicating  general  support  for  the  intent 
of  the  amendment,  said  it  was  not  germane,  and  Mr.  Schiff  with- 
drew the  amendment. 

On  July  27,  1994  the  Committee  on  Government  Operations,  a 
quorum  being  present,  approved  by  voice  vote  the  amendment  as 
reported  by  the  Subcommittee  and  ordered  the  amendment  re- 
ported. 

SECTION-BY-SECTION  ANALYSIS  AND  DISCUSSION 

Subsection  (a)  of  the  amendment  provides  for  Federal  efforts  by 
Inspectors  General  and  the  Attorney  Greneral  to  prevent  and  detect 
health  care  fraud  and  abuse.  The  subsection  authorizes  six  Federal 
officials — ^the  Inspector  Greneral  of  the  Department  of  Health  and 
Human  Services  ("HHS"),  the  Inspector  General  of  the  Department 
of  Defense  ("DOD"),  the  Inspector  Greneral  of  the  Department  of 
Labor  ("DOL"),  the  Inspector  General  of  the  Office  of  Personnel 
Management  ("0PM"),  the  Inspector  Greneral  of  the  Department  of 
Veterans  Affairs  ("DVA"),  and  the  Attorney  General — ^to  prevent, 
detect,  and  control  health  care  fraud  and  abuse  in  violation  of  any 
Federal  law.  However,  the  Inspectors  General  other  than  the  In- 
spector Greneral  of  HHS  may  not  investigate  health  care  fraud  and 
abuse  under  various  titles  of  the  Social  Security  Act.  The  Commit- 
tee intends  that  the  Inspectors  Greneral,  in  carrying  out  these  re- 
sponsibilities, may  exercise  all  the  powers  available  under  the  In- 
spector Greneral  Act  of  1978  even  if  the  fraud  and  abuse  does  not 
involve  Federal  funds. 

Each  of  these  six  Federal  officials  is  to  prepare  an  annual  inves- 
tigative plan  for  the  prevention,  detection,  and  control  of  health 
care  fraud  £ind  abuse  and  to  consult  with  each  other  and  with  other  j 
Federal,  State,  and  local  law  enforcement  agencies  and  agencies  re- 
sponsible for  the  licensing  and  certification  of  health  care  provid- 
ers. 

The  Inspector  General  of  HHS  and  the  Attorney  Greneral  are 
jointly  to  establish  by  January  1,  1996  a  program  to  coordinate  the 
activities  of  Federal,  State,  and  local  law  enforcement  agencies  and 
Federal  and  State  agencies  responsible  for  licensing  and  certifying 
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health  care  providers  in  preventing,  detecting,  and  controlling 
health  care  fraud  and  abuse.  A  description  of  this  program  shall  be 
published  in  the  Federal  Register  by  June  30,  1995. 

Subsection  (b)  of  the  amendment  provides  for  State  prevention, 
detection,  and  control  of  health  care  fraud  and  abuse  in  violation 
of  any  Federal  law.  The  Governor  of  each  State,  consistent  with 
State  law,  is  to  designate  State  agencies  which  shall  prevent,  de- 
tect, and  control  health  care  fraud  and  abuse  within  the  State  that 
violates  any  Federal  law.  One  of  these  agencies  is  to  be  designated 
as  the  lead  agency  for  the  State. 

The  amendment  also  provides  that  a  State  may  establish  a  State 
Health  Care  Fraud  Control  Unit  ("Fraud  and  Abuse  Unit"),  mod- 
eled after  existing  Medicaid  Fraud  Control  Units.  The  amendment 
includes  the  criteria  which  must  be  met  by  the  Fraud  and  Abuse 
Unit,  including  its  separation  from  any  State  agency  responsible 
for  administering  any  Federally  funded  or  mandated  health  care 
program  and  the  authority  to  prosecute  individuals  for  criminal 
violations  or  assist  in  such  prosecutions.  The  Committee  expects 
that  in  most  cases  the  lead  agency  for  the  State  will  be  the  Medic- 
aid Fraud  Control  Unit  created  pursuant  to  42  U.S.C.  1396b(q). 

Each  State's  Fraud  and  Abuse  Unit  may  submit  each  year  to  the 
Inspector  General  of  HHS  and  the  Attorney  General  a  plan  for  pre- 
venting, detecting,  and  controlling  health  care  fraud  and  abuse  in 
the  State  that  is  consistent  with  the  Federal  plan  for  preventing, 
detecting,  and  controlling  health  care  fraud  and  abuse.  The  Inspec- 
tor General  of  HHS  shall  approve  the  plan  unless  the  Inspector 
General  establishes  that  the  State  plan  is  inconsistent  with  the 
Federal  plan  or  will  not  enable  the  State  agencies  to  prevent,  de- 
tect, and  control  health  care  fraud  and  abuse.  Each  Fraud  and 
Abuse  Unit  shall  submit  an  annual  report  to  the  Inspector  General 
of  HHS. 

The  Inspector  General  of  HHS  shall  report  to  Congress  twice  a 
year  on  how  well  the  States  are  preventing,  detecting,  and  control- 
ling health  care  fraud  and  abuse. 

Subsection  (c)  of  the  amendment  provides  that  for  those  States 
which  have  established  a  Fraud  and  Abuse  Unit  and  for  which  an 
annual  plan  has  been  submitted  and  approved,  the  Inspector  Gen- 
eral of  HHS  shall  pay  each  State  agency — subject  to  availability  of 
appropriations — an  amount  equal  to  75  percent  of  the  agency's 
costs  in  combatting  health  care  fraud  and  abuse. 

Subsection  (d)  of  the  amendment  directs  the  Inspector  General  of 
HHS  and  the  Attorney  General  to  establish  a  program  for  the  shar- 
ing among  Federal,  State,  and  local  law  enforcement  agencies  and 
health  care  providers  and  insurers  of  data  related  to  possible 
health  care  fraud  and  abuse. 

Subsections  (e)  through  (h)  of  the  amendment  establish  a  Health 
Care  Fraud  and  Abuse  Enforcement  Control  Account  ("the  Ac- 
count") to  help  pay  for  the  Federal  and  State  costs  of  preventing 
and  controlling  health  care  fraud  and  abuse.  The  Account  has  an 
expenses  subaccount  and  a  reserve  subaccount.  Into  the  expenses 
subaccount  are  deposited:  (1)  all  fines  for  health  care  fraud  and 
abuse,  (2)  civil  penalties  and  damages  (other  than  restitution)  for 
false  claims  based  on  health  care  fraud  and  abuse,  (3)  administra- 
tive penalties  under  the  Social  Security  Act,  (4)  proceeds  of  seizures 
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and  forfeitures  of  property  in  connection  with  health  care  fraud  and 
abuse  in  violation  of  any  Federal  law,  and  (5)  donations.  Once  the 
expenses  subaccount  reaches  $500  million,  it  cannot  grow  by  more 
than  10  percent  per  annum.  Sums  in  excess  of  this  ceiling  are  de- 
posited into  the  reserve  subaccount  until  it  reaches  10  percent  of 
the  amount  in  the  expenses  subaccount.  Additional  sums  are  to  be 
transferred  to  the  general  fund  of  the  Treasury.  Funds  from  the  re- 
serve subaccount  can  be  transferred  to  the  expenses  subaccount  in 
a  particular  year  so  that  expenditures  from  the  expenses  sub- 
account do  not  fluctuate  widely. 

The  HHS  Inspector  Greneral  and  the  Attorney  General  are  jointly 
to  use  the  funds  in  the  expenses  subaccount  to  pay  their  expenses 
and  the  expenses  of  other  Inspectors  Generals  and  Federal,  State, 
and  local  agencies  in  connection  with  their  prevention  and  detec- 
tion of  health  care  fraud  and  abuse.  A  State  or  local  law  enforce- 
ment agency  is  to  receive  an  amount  from  the  expenses  subaccount 
that  reflects  generally  and  equitably  the  contribution  of  that  agen- 
cy to  the  deposits  made  into  the  expenses  subaccount. 

Amounts  received  from  the  expenses  subaccount  are  to  supple- 
ment regularly  appropriated  funds  for  these  Federal  agencies. 

An  Account  Payments  Advisory  Board  ("the  Board")  is  estab- 
lished to  make  recommendations  to  the  HHS  Inspector  General 
and  the  Attorney  General  regarding  the  equitable  allocation  of 
amounts  in  the  Account.  The  Board  is  comprised  of  four  Federal  of- 
ficials— ^the  Inspector  General  of  the  DOD,  the  Inspector  General  of 
the  DOL,  the  Inspector  General  of  the  0PM,  and  the  Inspector 
General  of  the  DVA — and  ten  members  appointed  by  the  Inspector 
General  of  HHS  to  represent  State  law  enforcement  agencies,  with 
one  member  being  appointed  from  each  of  the  ten  regions  of  the 
country  established  by  the  Ofiice  of  Management  and  Budget  from 
among  persons  recommended  by  the  heads  of  those  State  law  en- 
forcement agencies  designated  by  the  Grovemors  in  each  region. 

Subsection  (i)  of  the  amendment  defines  the  terms  "account,"  "ex- 
penses subaccount,"  "health  care  fraud  and  abuse  control  unit,"  "In- 
spector Greneral,"  and  "reserve  subaccount." 

Subsection  (j)  gives  the  effective  dates  of  section  5401. 

Committee  Oversight  Findings 

Pursuant  to  clause  2(1)(3)(A)  and  clause  2(1)(3)(D)  of  rule  XI  of 
the  Rules  of  the  House  of  Representatives,  the  Committee  held 
oversight  hearings  and  made  findings  that  are  reflected  in  the  leg- 
islation and  in  this  report. 

Committee  Cost  Estimate 

Pursuant  to  clause  7(a)  of  rule  XIII  of  the  Rules  of  the  House  of 
Representatives,  the  Committee  makes  the  following  estimate  of 
the  costs  of  carrying  out  these  amendments  for  fiscaJ  year  1994  and 
for  the  succeeding  five  fiscal  years.  The  Committee  estimates  that 
enactment  of  the  Fair  Health  Information  Practices  Part  will  have 
no  net  cost  to  the  Federal  government  and  may  actually  save 
money  by  establishing  uniform  rules  and  by  supporting  the  use  of 
more  efficient  computer  and  telecommunication  technology  for  the 
transfer  of  health  information.  The  Committee  also  estimates  that 
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the  amendment  to  section  5401  of  title  V  will  have  no  net  cost  to 
the  Federal  government  and  will  actually  save  the  Federal  govern- 
ment money,  since  the  sums  spent  each  year  by  the  Federal  gov- 
ernment in  preventing  and  detecting  health  care  fraud  and  abuse 
are  substantially  less  than  the  repayments  made  to  the  Federal 
government  by  those  who  are  caught  defrauding  the  Federal  gov- 
ernment. 

Inflationary  Impact  Statement 

Pursuant  to  clause  2(1)(4)  of  rule  XI  of  the  Rules  of  the  House 
of  Representatives,  the  Committee  makes  the  following  statement 
with  regard  to  the  inflationary  impact  of  the  amendments:  the 
amendment  adding  the  Fair  Health  Information  Practices  Part  will 
not  have  an  inflationary  impact  because  it  will  likely  reduce  costs 
by  establishing  uniform  rules  and  by  supporting  the  use  of  more  ef- 
ficient computer  and  telecommunication  technology  for  the  transfer 
of  health  information;  and  the  amendment  to  section  5401  of  title 
V  will  not  have  an  inflationary  impact  because  it  will  reduce  the 
amount  of  fraud  and  abuse  in  the  delivery  of  health  care. 

Changes  in  Existing  Law  Made  by  the  Bill,  as  Reported 

Pursuant  to  the  terms  of  the  referral  of  the  bill  to  the  Commit- 
tee, the  Committee  adopted  amendments  to  subtitle  B  of  title  V 
and  section  5401. 

In  compliance  with  clause  3  of  rule  XIII  of  the  Rules  of  the  House 
of  Representatives,  changes  in  existing  law  made  by  the  portions 
of  the  bill  to  which  amendments  were  adopted  by  the  Committee, 
as  reported,  are  shown  as  follows  (existing  law  proposed  to  be  omit- 
ted is  enclosed  in  black  brackets,  new  matter  is  printed  in  italic, 
existing  law  in  which  no  change  is  proposed  is  shown  in  roman): 

TITLE  18,  UNITED  STATES  CODE 


PART  I— CRIMES 

Chap.  Sec. 

1.  General  provisions   1 

2.  Aircraft  and  motor  vehicles   31 

3.  Animals,  birds,  fish,  and  plants    41 

******* 

90.  Protected  health  information    iS31 

******* 

CHAPTER  90— PROTECTED  HEALTH  INFORMATION 

Sec. 

1831.  Definitions. 

1832.  Obtaining  protected  health  information  under  false  pretenses. 

1833.  Monetary  gain  from  obtaining  protected  health  information  under  false  pre- 

tCTtSCS 

1834.  Knowing  and  unlawful  obtaining  of  protected  health  information        ,  , 

1835.  Monetary  gain  from  knowing  and  unlawful  obtaining  of  protected  health  infor- 

mation. ,  ,  ■  r 

1836.  Knowing  and  unlawful  use  or  disclosure  of  protected  health  information. 
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1837.  Monetary  gain  from  knowing  and  unlawful  sale,  transfer,  or  use  of  protected 
health  information. 

§1831.  Definitions 

As  used  in  this  chapter — 

(1)  the  term  "health  information  trustee"  has  the  meaning 
given  such  term  in  section  5120(b)(6)  of  the  Health  Security  Act; 

(2)  the  term  "Protected  health  information"  has  the  meaning 
given  such  term  in  section  5120(a)(3)  of  such  Act;  and 

(3)  the  term  "protected  individual"  has  the  meaning  given 
such  term  in  section  5120(a)(4)  of  such  Act. 

§1832,  Obtaining  protected  health  information  under  false 
pretenses 

Whoever  under  false  pretenses — 

(1)  requests  or  obtains  protected  health  information  from  a 
health  information  trustee;  or 

(2)  obtains  from  a  protected  individual  an  authorization  for 
the  disclosure  of  protected  health  information  about  the  individ- 
ual maintained  by  a  health  information  trustee; 

shall  be  fined  under  this  title  or  imprisoned  not  more  than  5  years, 
or  both. 

§1833,  Monetary  gain  from  obtaining  protected  health  in  for- 
vnution  under  false  pretenses 

Whoever  under  false  pretenses — 

(1)  requests  or  obtains  protected  health  information  from  a 
health  information  trustee  with  the  intent  to  sell,  transfer,  or 
use  such  information  for  profit  or  monetary  gain;  or 

(2)  obtains  from  a  protected  individual  an  authorization  for 
the  disclosure  of  protected  health  information  about  the  individ- 
ual maintained  by  a  health  information  trustee  with  the  intent 
to  sell,  transfer,  or  use  such  authorization  for  profit  or  monetary 
gain; 

and  knowingly  sells,  transfers,  or  uses  such  information  or  author- 
ization for  profit  or  monetary  gain  shall  be  fined  under  this  title  or 
imprisoned  not  more  than  10  years,  or  both. 

§1834,  Knowing  and  unlawful  obtaining  of  protected  health 
information 

Whoever  knowingly  obtains  protected  health  information  from  a 
health  information  trustee  in  violation  of  part  2  of  subtitle  B  of  title 
V  of  the  Health  Security  Act,  knowing  that  such  obtaining  is  unlaw- 
ful, shall  be  fined  under  this  title  or  imprisoned  not  more  than  5 
years,  or  both. 

§1835,  Monetary  gain  from  knowing  and  unlawful  obtaining 
of  protected  health  information 

Whoever  knowingly — 

(1)  obtains  protected  health  information  from  a  health  infor- 
mation trustee  in  violation  of  part  2  of  subtitle  B  of  title  V  of 
the  Health  Security  Act,  knowing  that  such  obtaining  is  unlaw- 
ful and  with  the  intent  to  sell,  transfer,  or  use  such  information 
for  profit  or  monetary  gain;  and 
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(2)  knowingly  sells,  transfers,  or  uses  such  information  for 
profit  or  monetary  gain; 
shall  be  fined  under  this  title  or  imprisoned  not  more  than  10  years, 
or  both. 

§1836.  Knowing  and  unlawful  use  or  disclosure  of  protected 
health  information 

Whoever  knowingly  uses  or  discloses  protected  health  information 
in  violation  of  part  2  of  subtitle  B  of  title  V  of  the  Health  Security 
Act,  knowing  that  such  use  or  disclosure  is  unlawful,  shall  be  fined 
under  this  title  or  imprisoned  not  more  than  5  years,  or  both. 

§1837.  Monetary  gain  from  knowing  and  unlawful  sale, 
transfer,  or  use  of  protected  health  information 

Whoever  knowingly  sells,  transfers,  or  uses  protected  health  infor- 
mation in  violation  of  part  2  of  subtitle  B  of  title  V  of  the  Health 
Security  Act,  knowing  that  such  sale,  transfer,  or  use  is  unlawful, 
shall  be  fined  under  this  title  or  imprisoned  not  more  than  10  years, 
or  both. 

******* 


SECTION  552a  OF  TITLE  5,  UNITED  STATES  CODE 
§  552a.  Records  maintained  on  individuals 

(a)  *  *  * 

******* 

(f)  Agency  Rules. — In  order  to  carry  out  the  provisions  of  this 
section,  each  agency  that  maintains  a  system  of  records  shall  pro- 
mulgate rules,  in  accordance  with  the  requirements  (including  gen- 
eral notice)  of  section  553  of  this  title,  which  shall — 

*  *  * 

(3)  establish  procedures  for  the  disclosure  to  an  individual 
upon  his  request  of  his  record  or  information  [pertaining  to 
him,  including  special  procedure,  if  deemed  necessary,  for  the 
disclosure  to  an  individual  of  medical  records,  including  psy- 
chological records  pertaining  to  him;]  pertaining  to  the  individ- 
ual; 

******* 
(w)  Medical  Exemptions. — The  head  of  an  agency  that  is  a 
health  information  trustee  (as  defined  in  section  5120(b)(6)  of  the 
Health  Security  Act)  shall  promulgate  rules,  in  accordance  with  the 
requirements  (including  general  notice)  of  subsections  (b)(1),  (b)(2), 
(b)(3),  (c),  and  (e)  of  section  553  of  this  title,  to  exempt  a  system  of 
records  within  the  agency,  to  the  extent  that  the  system  of  records 
contains  protected  health  information  (as  defined  in  section 
5120(a)(3)  of  such  Act),  from  all  provisions  of  this  section  except 
subsections  (e)(1),  (e)(2),  subparagraphs  (A)  through  (C)  and  (E) 
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through  (I)  of  subsection  (e)(4),  and  subsections  (e)(5),  (e)(6),  (e)(9), 
(e)(12),  a),  (n),  (o),  (p),  (q),  (r),  and  (u). 
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